100 OS 22092 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"19B7F2D6-1610-11D3-BF30-1AF820524153"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19B7F2D6-1610-11D3-BF30-1AF820524153\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10013 WEB-ACTIVEX CCRP FolderTreeView ActiveX clsid access ccrp.mvps.org/index.html?controls/ccrpftv6.htm 22092 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|9|00|B|00|7|00|F|00|2|00|D|00|6|00|-|00|1|00|6|00|1|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|F|00|3|00|0|00|-|00|1|00|A|00|F|00|8|00|2|00|0|00|5|00|2|00|4|00|1|00|5|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x009\x00B\x007\x00F\x002\x00D\x006\x00-\x001\x006\x001\x000\x00-\x001\x001\x00D\x003\x00-\x00B\x00F\x003\x000\x00-\x001\x00A\x00F\x008\x002\x000\x005\x002\x004\x001\x005\x003\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10014 WEB-ACTIVEX CCRP FolderTreeView ActiveX clsid unicode access ccrp.mvps.org/index.html?controls/ccrpftv6.htm 22026 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EC4CF635-D196-11CE-9027-02608C4BF3B5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\4.*\3\.(UpdateRecord)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(UpdateRecord)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10015 WEB-ACTIVEX Oracle ORADC ActiveX clsid access 22026 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|C|00|4|00|C|00|F|00|6|00|3|00|5|00|-|00|D|00|1|00|9|00|6|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|0|00|2|00|7|00|-|00|0|00|2|00|6|00|0|00|8|00|C|00|4|00|B|00|F|00|3|00|B|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00C\x004\x00C\x00F\x006\x003\x005\x00-\x00D\x001\x009\x006\x00-\x001\x001\x00C\x00E\x00-\x009\x000\x002\x007\x00-\x000\x002\x006\x000\x008\x00C\x004\x00B\x00F\x003\x00B\x005\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10016 WEB-ACTIVEX Oracle ORADC ActiveX clsid unicode access 22026 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ORADC.ORADCCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\3\s*\.\s*(UpdateRecord)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\7\s*\.\s*(UpdateRecord)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10017 WEB-ACTIVEX Oracle ORADC ActiveX function call access protocol-command-decode 2006-6917 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 10018 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt www.lssec.com/advisories/LS-20061001.pdf 22005 attempted-admin 2007-0169 tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:117; dce_stub_data; byte_test:4,>,119,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 10050 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 ASDBLoginToComputer overflow attempt www.kb.cert.org/vuls/id/180336 33469 attempted-user 2007-0018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77829F14-D911-40FF-A2F0-D11DB8D6D0BC\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(SetFormatLikeSample|CreateFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77829F14-D911-40FF-A2F0-D11DB8D6D0BC\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\.(SetFormatLikeSample|CreateFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10084 WEB-ACTIVEX NCTAudioFile2 ActiveX clsid access www.kb.cert.org/vuls/id/292713 33469 attempted-user 2007-0018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|7|00|8|00|2|00|9|00|F|00|1|00|4|00|-|00|D|00|9|00|1|00|1|00|-|00|4|00|0|00|F|00|F|00|-|00|A|00|2|00|F|00|0|00|-|00|D|00|1|00|1|00|D|00|B|00|8|00|D|00|6|00|D|00|0|00|B|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q29>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x007\x008\x002\x009\x00F\x001\x004\x00-\x00D\x009\x001\x001\x00-\x004\x000\x00F\x00F\x00-\x00A\x002\x00F\x000\x00-\x00D\x001\x001\x00D\x00B\x008\x00D\x006\x00D\x000\x00B\x00C\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10085 WEB-ACTIVEX NCTAudioFile2 ActiveX clsid unicode access www.kb.cert.org/vuls/id/292713 33469 attempted-user 2007-0018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NCTAudioFile2.AudioFile"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22NCTAudioFile2\.AudioFile(\.\d)?\x22|\x27NCTAudioFile2\.AudioFile(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=v)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTAudioFile2\.AudioFile(\.\d)?\x22|\x27NCTAudioFile2\.AudioFile(\.\d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10086 WEB-ACTIVEX NCTAudioFile2 ActiveX function call access www.kb.cert.org/vuls/id/292713 21992 web-application-attack 2006-4071 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,wmf.download; content:"|FC 02|"; pcre:"/\xFC\x02[\x08\x06]\x00.{4}(?!\x00\x00)/s"; metadata:policy security-ips drop; classtype:web-application-attack; 10115 WEB-CLIENT Microsoft WMF denial of service attempt 22446 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"66F50F46-70A0-4A05-BD5E-FBCC0F9641EC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*66F50F46-70A0-4A05-BD5E-FBCC0F9641EC\s*}?\4.*\3\.(remove)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66F50F46-70A0-4A05-BD5E-FBCC0F9641EC\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(remove)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10128 WEB-ACTIVEX Aliplay ActiveX clsid access 22446 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|6|00|F|00|5|00|0|00|F|00|4|00|6|00|-|00|7|00|0|00|A|00|0|00|-|00|4|00|A|00|0|00|5|00|-|00|B|00|D|00|5|00|E|00|-|00|F|00|B|00|C|00|C|00|0|00|F|00|9|00|6|00|4|00|1|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x006\x00F\x005\x000\x00F\x004\x006\x00-\x007\x000\x00A\x000\x00-\x004\x00A\x000\x005\x00-\x00B\x00D\x005\x00E\x00-\x00F\x00B\x00C\x00C\x000\x00F\x009\x006\x004\x001\x00E\x00C\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10129 WEB-ACTIVEX Aliplay ActiveX clsid unicode access attempted-user 2006-4697 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6E3197A3-BBC3-11D4-84C0-00C04F7A06E5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E3197A3-BBC3-11D4-84C0-00C04F7A06E5\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10137 WEB-ACTIVEX Microsoft Input Method Editor ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2006-4697 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|E|00|3|00|1|00|9|00|7|00|A|00|3|00|-|00|B|00|B|00|C|00|3|00|-|00|1|00|1|00|D|00|4|00|-|00|8|00|4|00|C|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|A|00|0|00|6|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x003\x001\x009\x007\x00A\x003\x00-\x00B\x00B\x00C\x003\x00-\x001\x001\x00D\x004\x00-\x008\x004\x00C\x000\x00-\x000\x000\x00C\x000\x004\x00F\x007\x00A\x000\x006\x00E\x005\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10138 WEB-ACTIVEX Microsoft Input Method Editor ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2006-4697 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IMESingleKanjiDict.8.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22IMESingleKanjiDict.8.1\x22|\x27IMESingleKanjiDict.8.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IMESingleKanjiDict.8.1\x22|\x27IMESingleKanjiDict.8.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10139 WEB-ACTIVEX Microsoft Input Method Editor ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2006-4697 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DA56F851-D3C5-11D3-844C-00C04F7A06E5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA56F851-D3C5-11D3-844C-00C04F7A06E5\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10140 WEB-ACTIVEX Microsoft Input Method Editor 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2006-4697 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|A|00|5|00|6|00|F|00|8|00|5|00|1|00|-|00|D|00|3|00|C|00|5|00|-|00|1|00|1|00|D|00|3|00|-|00|8|00|4|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|A|00|0|00|6|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x005\x006\x00F\x008\x005\x001\x00-\x00D\x003\x00C\x005\x00-\x001\x001\x00D\x003\x00-\x008\x004\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x007\x00A\x000\x006\x00E\x005\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10141 WEB-ACTIVEX Microsoft Input Method Editor 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"75C11604-5C51-48B2-B786-DF5E51D10EC9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*75C11604-5C51-48B2-B786-DF5E51D10EC9\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10142 WEB-ACTIVEX LexRefBilingualTextContext ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|5|00|C|00|1|00|1|00|6|00|0|00|4|00|-|00|5|00|C|00|5|00|1|00|-|00|4|00|8|00|B|00|2|00|-|00|B|00|7|00|8|00|6|00|-|00|D|00|F|00|5|00|E|00|5|00|1|00|D|00|1|00|0|00|E|00|C|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x005\x00C\x001\x001\x006\x000\x004\x00-\x005\x00C\x005\x001\x00-\x004\x008\x00B\x002\x00-\x00B\x007\x008\x006\x00-\x00D\x00F\x005\x00E\x005\x001\x00D\x001\x000\x00E\x00C\x009\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10143 WEB-ACTIVEX LexRefBilingualTextContext ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LR.LexRefBilingualTextContext.1.0.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22LR.LexRefBilingualTextContext.1.0.1\x22|\x27LR.LexRefBilingualTextContext.1.0.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LR.LexRefBilingualTextContext.1.0.1\x22|\x27LR.LexRefBilingualTextContext.1.0.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10144 WEB-ACTIVEX LexRefBilingualTextContext ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8422DAE3-9929-11CF-B8D3-004033373DA8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8422DAE3-9929-11CF-B8D3-004033373DA8\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10145 WEB-ACTIVEX HTML Inline Sound Control ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|4|00|2|00|2|00|D|00|A|00|E|00|3|00|-|00|9|00|9|00|2|00|9|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|D|00|3|00|-|00|0|00|0|00|4|00|0|00|3|00|3|00|3|00|7|00|3|00|D|00|A|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x004\x002\x002\x00D\x00A\x00E\x003\x00-\x009\x009\x002\x009\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x00D\x003\x00-\x000\x000\x004\x000\x003\x003\x003\x007\x003\x00D\x00A\x008\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10146 WEB-ACTIVEX HTML Inline Sound Control ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HTMLInlineSoundCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22HTMLInlineSoundCtl.1\x22|\x27HTMLInlineSoundCtl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HTMLInlineSoundCtl.1\x22|\x27HTMLInlineSoundCtl.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10147 WEB-ACTIVEX HTML Inline Sound Control ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8422DAE7-9929-11CF-B8D3-004033373DA8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8422DAE7-9929-11CF-B8D3-004033373DA8\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10148 WEB-ACTIVEX HTML Inline Movie Control ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|4|00|2|00|2|00|D|00|A|00|E|00|7|00|-|00|9|00|9|00|2|00|9|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|D|00|3|00|-|00|0|00|0|00|4|00|0|00|3|00|3|00|3|00|7|00|3|00|D|00|A|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x004\x002\x002\x00D\x00A\x00E\x007\x00-\x009\x009\x002\x009\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x00D\x003\x00-\x000\x000\x004\x000\x003\x003\x003\x007\x003\x00D\x00A\x008\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10149 WEB-ACTIVEX HTML Inline Movie Control ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HTMLInlineVideoCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22HTMLInlineVideoCtl.1\x22|\x27HTMLInlineVideoCtl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HTMLInlineVideoCtl.1\x22|\x27HTMLInlineVideoCtl.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10150 WEB-ACTIVEX HTML Inline Movie Control ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"261F6572-578B-40A7-B72E-61B7261D9F0C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*261F6572-578B-40A7-B72E-61B7261D9F0C\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10151 WEB-ACTIVEX BlnSetUser Proxy ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|6|00|1|00|F|00|6|00|5|00|7|00|2|00|-|00|5|00|7|00|8|00|B|00|-|00|4|00|0|00|A|00|7|00|-|00|B|00|7|00|2|00|E|00|-|00|6|00|1|00|B|00|7|00|2|00|6|00|1|00|D|00|9|00|F|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x006\x001\x00F\x006\x005\x007\x002\x00-\x005\x007\x008\x00B\x00-\x004\x000\x00A\x007\x00-\x00B\x007\x002\x00E\x00-\x006\x001\x00B\x007\x002\x006\x001\x00D\x009\x00F\x000\x00C\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10152 WEB-ACTIVEX BlnSetUser Proxy ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BlnMgrPs.BlnSetUserPs.11"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22BlnMgrPs.BlnSetUserPs.11\x22|\x27BlnMgrPs.BlnSetUserPs.11\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BlnMgrPs.BlnSetUserPs.11\x22|\x27BlnMgrPs.BlnSetUserPs.11\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10153 WEB-ACTIVEX BlnSetUser Proxy ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E56CCB42-598C-462D-9AD8-4FD5B4498C5D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E56CCB42-598C-462D-9AD8-4FD5B4498C5D\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10154 WEB-ACTIVEX BlnSetUser Proxy 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-016.mspx attempted-user 2007-0219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|5|00|6|00|C|00|C|00|B|00|4|00|2|00|-|00|5|00|9|00|8|00|C|00|-|00|4|00|6|00|2|00|D|00|-|00|9|00|A|00|D|00|8|00|-|00|4|00|F|00|D|00|5|00|B|00|4|00|4|00|9|00|8|00|C|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x005\x006\x00C\x00C\x00B\x004\x002\x00-\x005\x009\x008\x00C\x00-\x004\x006\x002\x00D\x00-\x009\x00A\x00D\x008\x00-\x004\x00F\x00D\x005\x00B\x004\x004\x009\x008\x00C\x005\x00D\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10155 WEB-ACTIVEX BlnSetUser Proxy 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-016.mspx 22558 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"894A633E-F261-28BD-96F3-380EBEE1BADE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*894A633E-F261-28BD-96F3-380EBEE1BADE\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10156 WEB-ACTIVEX ActiveX Soft DVD Tools ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html 22558 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|9|00|4|00|A|00|6|00|3|00|3|00|E|00|-|00|F|00|2|00|6|00|1|00|-|00|2|00|8|00|B|00|D|00|-|00|9|00|6|00|F|00|3|00|-|00|3|00|8|00|0|00|E|00|B|00|E|00|E|00|1|00|B|00|A|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10157 WEB-ACTIVEX ActiveX Soft DVD Tools ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html 22110 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"19E6E148-BAEC-11D2-B03A-EAFC20524153"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19E6E148-BAEC-11D2-B03A-EAFC20524153\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10162 WEB-ACTIVEX BrowseDialog ActiveX clsid access 22110 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|9|00|E|00|6|00|E|00|1|00|4|00|8|00|-|00|B|00|A|00|E|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|0|00|3|00|A|00|-|00|E|00|A|00|F|00|C|00|2|00|0|00|5|00|2|00|4|00|1|00|5|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x009\x00E\x006\x00E\x001\x004\x008\x00-\x00B\x00A\x00E\x00C\x00-\x001\x001\x00D\x002\x00-\x00B\x000\x003\x00A\x00-\x00E\x00A\x00F\x00C\x002\x000\x005\x002\x004\x001\x005\x003\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10163 WEB-ACTIVEX BrowseDialog ActiveX clsid unicode access 22676 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"08F04139-8DFC-11D2-80E9-006008B066EE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*08F04139-8DFC-11D2-80E9-006008B066EE\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10170 WEB-ACTIVEX Verisign ConfigCHK ActiveX clsid access 22676 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|8|00|F|00|0|00|4|00|1|00|3|00|9|00|-|00|8|00|D|00|F|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|0|00|E|00|9|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|B|00|0|00|6|00|6|00|E|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x008\x00F\x000\x004\x001\x003\x009\x00-\x008\x00D\x00F\x00C\x00-\x001\x001\x00D\x002\x00-\x008\x000\x00E\x009\x00-\x000\x000\x006\x000\x000\x008\x00B\x000\x006\x006\x00E\x00E\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10171 WEB-ACTIVEX Verisign ConfigCHK ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"60664CAF-AF0D-0004-A300-5C7D25FF22A0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*60664CAF-AF0D-0004-A300-5C7D25FF22A0\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10176 WEB-ACTIVEX Windows Shell User Enumeration Object ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|0|00|6|00|6|00|4|00|C|00|A|00|F|00|-|00|A|00|F|00|0|00|D|00|-|00|0|00|0|00|0|00|4|00|-|00|A|00|3|00|0|00|0|00|-|00|5|00|C|00|7|00|D|00|2|00|5|00|F|00|F|00|2|00|2|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x000\x006\x006\x004\x00C\x00A\x00F\x00-\x00A\x00F\x000\x00D\x00-\x000\x000\x000\x004\x00-\x00A\x003\x000\x000\x00-\x005\x00C\x007\x00D\x002\x005\x00F\x00F\x002\x002\x00A\x000\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10177 WEB-ACTIVEX Windows Shell User Enumeration Object ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Shell.Users.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22Shell\.Users\.1\x22|\x27Shell\.Users\.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Shell\.Users\.1\x22|\x27Shell\.Users\.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10178 WEB-ACTIVEX Windows Shell User Enumeration Object ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616\s*}?\4.*\3\.(Resize)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(Resize)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10189 WEB-ACTIVEX DivXBrowserPlugin ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|D|00|A|00|B|00|F|00|B|00|F|00|-|00|D|00|0|00|A|00|B|00|-|00|4|00|1|00|f|00|a|00|-|00|9|00|C|00|4|00|6|00|-|00|C|00|C|00|0|00|F|00|2|00|1|00|7|00|2|00|1|00|6|00|1|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x007\x00D\x00A\x00B\x00F\x00B\x00F\x00-\x00D\x000\x00A\x00B\x00-\x004\x001\x00f\x00a\x00-\x009\x00C\x004\x006\x00-\x00C\x00C\x000\x00F\x002\x001\x007\x002\x001\x006\x001\x006\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10190 WEB-ACTIVEX DivXBrowserPlugin ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"npdivx.DivXBrowserPlugin"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22npdivx\.DivXBrowserPlugin\x22|\x27npdivx\.DivXBrowserPlugin\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(Resize)\s*\(|.*\3\s*\.\s*(Resize)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22npdivx\.DivXBrowserPlugin\x22|\x27npdivx\.DivXBrowserPlugin\x27)\s*\)(\s*\.\s*(Resize)\s*\(|.*\7\s*\.\s*(Resize)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10191 WEB-ACTIVEX DivXBrowserPlugin ActiveX function call access 22842 attempted-user 2006-6885 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*233C1507-6A77-46A4-9443-F871F945D258\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*233C1507-6A77-46A4-9443-F871F945D258\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10214 WEB-ACTIVEX Shockwave ActiveX Control ActiveX clsid access 22842 attempted-user 2006-6885 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|3|00|3|00|C|00|1|00|5|00|0|00|7|00|-|00|6|00|A|00|7|00|7|00|-|00|4|00|6|00|A|00|4|00|-|00|9|00|4|00|4|00|3|00|-|00|F|00|8|00|7|00|1|00|F|00|9|00|4|00|5|00|D|00|2|00|5|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x003\x003\x00C\x001\x005\x000\x007\x00-\x006\x00A\x007\x007\x00-\x004\x006\x00A\x004\x00-\x009\x004\x004\x003\x00-\x00F\x008\x007\x001\x00F\x009\x004\x005\x00D\x002\x005\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10215 WEB-ACTIVEX Shockwave ActiveX Control ActiveX clsid unicode access 22842 attempted-user 2006-6885 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SWCtl.SWCtl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SWCtl\.SWCtl(\.\d)?\x22|\x27SWCtl\.SWCtl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*|.*(?P=v)\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SWCtl\.SWCtl(\.\d)?\x22|\x27SWCtl\.SWCtl(\.\d)?\x27)\s*\)(\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*|.*(?P=n)\s*\.\s*(BGCOLOR|SRC|AutoStart|Sound|DrawLogo|DrawPress)\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10216 WEB-ACTIVEX Shockwave ActiveX Control ActiveX function call access 22952 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4124FDF6-B540-44C5-96B4-A380CEE9826A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*4124FDF6-B540-44C5-96B4-A380CEE9826A\s*}?\4.*\3\.(ExportSiteList|VerifyPackageCatalog)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4124FDF6-B540-44C5-96B4-A380CEE9826A\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(ExportSiteList|VerifyPackageCatalog)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10387 WEB-ACTIVEX McAfee ePolicy Orchestrator ActiveX clsid access knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496 22952 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|2|00|4|00|F|00|D|00|F|00|6|00|-|00|B|00|5|00|4|00|0|00|-|00|4|00|4|00|C|00|5|00|-|00|9|00|6|00|B|00|4|00|-|00|A|00|3|00|8|00|0|00|C|00|E|00|E|00|9|00|8|00|2|00|6|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x002\x004\x00F\x00D\x00F\x006\x00-\x00B\x005\x004\x000\x00-\x004\x004\x00C\x005\x00-\x009\x006\x00B\x004\x00-\x00A\x003\x008\x000\x00C\x00E\x00E\x009\x008\x002\x006\x00A\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10388 WEB-ACTIVEX McAfee ePolicy Orchestrator ActiveX clsid unicode access knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496 22952 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SiteManager.SiteMgr.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SiteManager\.SiteMgr\.1\x22|\x27SiteManager\.SiteMgr\.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*\(|.*\3\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SiteManager\.SiteMgr\.1\x22|\x27SiteManager\.SiteMgr\.1\x27)\s*\)(\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*\(|.*\7\s*\.\s*(ExportSiteList|VerifyPackageCatalog)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10389 WEB-ACTIVEX McAfee ePolicy Orchestrator ActiveX function call access knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"44990200-3c9d-426d-81df-aab636fa4345"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*44990200-3c9d-426d-81df-aab636fa4345\s*}?\4.*\3\.(EnableExtension)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44990200-3c9d-426d-81df-aab636fa4345\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(EnableExtension)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10390 WEB-ACTIVEX Symantec Support Controls SmartIssue ActiveX clsid access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|9|00|9|00|0|00|2|00|0|00|0|00|-|00|3|00|c|00|9|00|d|00|-|00|4|00|2|00|6|00|d|00|-|00|8|00|1|00|d|00|f|00|-|00|a|00|a|00|b|00|6|00|3|00|6|00|f|00|a|00|4|00|3|00|4|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x009\x009\x000\x002\x000\x000\x00-\x003\x00c\x009\x00d\x00-\x004\x002\x006\x00d\x00-\x008\x001\x00d\x00f\x00-\x00a\x00a\x00b\x006\x003\x006\x00f\x00a\x004\x003\x004\x005\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10391 WEB-ACTIVEX Symantec Support Controls SmartIssue ActiveX clsid unicode access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SYMC.SmartIssue"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SYMC\.SmartIssue\x22|\x27SYMC\.SmartIssue\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(EnableExtension)\s*\(|.*\3\s*\.\s*(EnableExtension)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SYMC\.SmartIssue\x22|\x27SYMC\.SmartIssue\x27)\s*\)(\s*\.\s*(EnableExtension)\s*\(|.*\7\s*\.\s*(EnableExtension)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10392 WEB-ACTIVEX Symantec Support Controls SmartIssue ActiveX function call access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EC5D5118-9FDE-4A3E-84F3-C2B711740E70"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC5D5118-9FDE-4A3E-84F3-C2B711740E70\s*}?\4.*\3\.(DownloadCertificateExt)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC5D5118-9FDE-4A3E-84F3-C2B711740E70\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(DownloadCertificateExt)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10404 WEB-ACTIVEX SignKorea SKCommAX ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|C|00|5|00|D|00|5|00|1|00|1|00|8|00|-|00|9|00|F|00|D|00|E|00|-|00|4|00|A|00|3|00|E|00|-|00|8|00|4|00|F|00|3|00|-|00|C|00|2|00|B|00|7|00|1|00|1|00|7|00|4|00|0|00|E|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00C\x005\x00D\x005\x001\x001\x008\x00-\x009\x00F\x00D\x00E\x00-\x004\x00A\x003\x00E\x00-\x008\x004\x00F\x003\x00-\x00C\x002\x00B\x007\x001\x001\x007\x004\x000\x00E\x007\x000\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10405 WEB-ACTIVEX SignKorea SKCommAX ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SKCommAX"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SKCommAX\x22|\x27SKCommAX\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(DownloadCertificateExt)\s*\(|.*\3\s*\.\s*(DownloadCertificateExt)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SKCommAX\x22|\x27SKCommAX\x27)\s*\)(\s*\.\s*(DownloadCertificateExt)\s*\(|.*\7\s*\.\s*(DownloadCertificateExt)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10406 WEB-ACTIVEX SignKorea SKCommAX ActiveX function call access 23201 attempted-user 2007-1784 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0B9C9C7D-ED81-4594-AFCB-FC5588125382"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*0B9C9C7D-ED81-4594-AFCB-FC5588125382\s*}?\4.*\3\.(LoadLibrary)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B9C9C7D-ED81-4594-AFCB-FC5588125382\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(LoadLibrary)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10412 WEB-ACTIVEX IBM Lotus SameTime STJNILoader Alt CLSID ActiveX clsid access www.securityfocus.com/archive/1/464185 23201 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|B|00|9|00|C|00|9|00|C|00|7|00|D|00|-|00|E|00|D|00|8|00|1|00|-|00|4|00|5|00|9|00|4|00|-|00|A|00|F|00|C|00|B|00|-|00|F|00|C|00|5|00|5|00|8|00|8|00|1|00|2|00|5|00|3|00|8|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00B\x009\x00C\x009\x00C\x007\x00D\x00-\x00E\x00D\x008\x001\x00-\x004\x005\x009\x004\x00-\x00A\x00F\x00C\x00B\x00-\x00F\x00C\x005\x005\x008\x008\x001\x002\x005\x003\x008\x002\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10413 WEB-ACTIVEX IBM Lotus SameTime STJNILoader Alt CLSID ActiveX clsid unicode access www.securityfocus.com/archive/1/464185 23201 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"JNILOADER.JNILoaderCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\3\s*\.\s*(LoadLibrary)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\7\s*\.\s*(LoadLibrary)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10414 WEB-ACTIVEX IBM Lotus SameTime STJNILoader Alt CLSID ActiveX function call access www.securityfocus.com/archive/1/464185 23201 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7261EE42-318E-490A-AE8F-77649DBA1ECA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*7261EE42-318E-490A-AE8F-77649DBA1ECA\s*}?\4.*\3\.(LoadLibrary)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7261EE42-318E-490A-AE8F-77649DBA1ECA\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(LoadLibrary)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10415 WEB-ACTIVEX IBM Lotus SameTime STJNILoader ActiveX clsid access www.securityfocus.com/archive/1/464185 23201 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|2|00|6|00|1|00|E|00|E|00|4|00|2|00|-|00|3|00|1|00|8|00|E|00|-|00|4|00|9|00|0|00|A|00|-|00|A|00|E|00|8|00|F|00|-|00|7|00|7|00|6|00|4|00|9|00|D|00|B|00|A|00|1|00|E|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x002\x006\x001\x00E\x00E\x004\x002\x00-\x003\x001\x008\x00E\x00-\x004\x009\x000\x00A\x00-\x00A\x00E\x008\x00F\x00-\x007\x007\x006\x004\x009\x00D\x00B\x00A\x001\x00E\x00C\x00A\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10416 WEB-ACTIVEX IBM Lotus SameTime STJNILoader ActiveX clsid unicode access www.securityfocus.com/archive/1/464185 23201 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"JNILOADER.JNILoaderCtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\3\s*\.\s*(LoadLibrary)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JNILOADER\.JNILoaderCtrl\x22|\x27JNILOADER\.JNILoaderCtrl\x27)\s*\)(\s*\.\s*(LoadLibrary)\s*\(|.*\7\s*\.\s*(LoadLibrary)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10417 WEB-ACTIVEX IBM Lotus SameTime STJNILoader ActiveX function call access www.securityfocus.com/archive/1/464185 23239 attempted-user 2007-1819 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ProgColor)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(ProgColor))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10419 WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX clsid access h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872 23239 attempted-user 2007-1819 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|8|00|C|00|5|00|3|00|9|00|8|00|4|00|-|00|8|00|B|00|F|00|8|00|-|00|4|00|D|00|1|00|1|00|-|00|9|00|B|00|1|00|C|00|-|00|C|00|3|00|2|00|4|00|F|00|C|00|A|00|9|00|C|00|A|00|D|00|E|00|"; nocase; content:"P|00|r|00|o|00|g|00|C|00|o|00|l|00|o|00|r|00|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 10420 WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX clsid unicode access h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872 23239 attempted-user 2007-1819 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SPIDERLib.Loader"; pcre:"/(?P<c>\w+)\s*=\s*(\x22SPIDERLib\.Loader\x22|\x27SPIDERLib\.Loader\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ProgColor\s*|.*(?P=v)\s*\.\s*ProgColor\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SPIDERLib\.Loader\x22|\x27SPIDERLib\.Loader\x27)\s*\)(\s*\.\s*ProgColor\s*|.*(?P=n)\s*\.\s*ProgColor)\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10421 WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX function call access h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872 23239 attempted-user 2007-1819 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|P|00|I|00|D|00|E|00|R|00|L|00|i|00|b|00|.|00|L|00|o|00|a|00|d|00|e|00|r|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)S\x00P\x00I\x00D\x00E\x00R\x00L\x00i\x00b\x00.\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)S\x00P\x00I\x00D\x00E\x00R\x00L\x00i\x00b\x00.\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 10422 WEB-ACTIVEX HP Mercury Quality Center SPIDERLib ActiveX function call unicode access h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872 23291 attempted-user 2007-1680 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2B323CD9-50E3-11D3-9466-00A0C9700498"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2B323CD9-50E3-11D3-9466-00A0C9700498\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(createAndJoinConference)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2B323CD9-50E3-11D3-9466-00A0C9700498\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(createAndJoinConference))\s*\(/Osi"; metadata:policy security-ips drop; classtype:attempted-user; 10423 WEB-ACTIVEX Yahoo Audio Conferencing ActiveX clsid access messenger.yahoo.com/security_update.php?id=031207 23291 attempted-user 2007-1680 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|B|00|3|00|2|00|3|00|C|00|D|00|9|00|-|00|5|00|0|00|E|00|3|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|4|00|6|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|7|00|0|00|0|00|4|00|9|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop; classtype:attempted-user; 10424 WEB-ACTIVEX Yahoo Audio Conferencing ActiveX clsid unicode access messenger.yahoo.com/security_update.php?id=031207 23291 attempted-user 2007-1680 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Yahoo.AudioConf"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Yahoo\.AudioConf\x22|\x27Yahoo\.AudioConf\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*createAndJoinConference\s*|.*(?P=v)\s*\.\s*createAndJoinConference\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Yahoo\.AudioConf\x22|\x27Yahoo\.AudioConf\x27)\s*\)(\s*\.\s*createAndJoinConference\s*|.*(?P=n)\s*\.\s*createAndJoinConference\s*)\s*\(/Osmi"; metadata:policy security-ips drop; classtype:attempted-user; 10425 WEB-ACTIVEX Yahoo Audio Conferencing ActiveX function call access messenger.yahoo.com/security_update.php?id=031207 23291 attempted-user 2007-1680 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|a|00|h|00|o|00|o|00|.|00|A|00|u|00|d|00|i|00|o|00|C|00|o|00|n|00|f|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)Y\x00a\x00h\x00o\x00o\x00.\x00A\x00u\x00d\x00i\x00o\x00C\x00o\x00n\x00f\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)Y\x00a\x00h\x00o\x00o\x00.\x00A\x00u\x00d\x00i\x00o\x00C\x00o\x00n\x00f\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop; classtype:attempted-user; 10426 WEB-ACTIVEX Yahoo Audio Conferencing ActiveX function call unicode access messenger.yahoo.com/security_update.php?id=031207 23325 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BA61606B-258C-4021-AD27-E07A3F3B91DB"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA61606B-258C-4021-AD27-E07A3F3B91DB\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA61606B-258C-4021-AD27-E07A3F3B91DB\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10427 WEB-ACTIVEX Kaspersky AntiVirus SysInfo ActiveX clsid access www.kaspersky.com/technews?id=203038694 23325 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|A|00|6|00|1|00|6|00|0|00|6|00|B|00|-|00|2|00|5|00|8|00|C|00|-|00|4|00|0|00|2|00|1|00|-|00|A|00|D|00|2|00|7|00|-|00|E|00|0|00|7|00|A|00|3|00|F|00|3|00|B|00|9|00|1|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10428 WEB-ACTIVEX Kaspersky AntiVirus SysInfo ActiveX clsid unicode access www.kaspersky.com/technews?id=203038694 23325 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"KL.SysInfo"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22KL\.SysInfo\x22|\x27KL\.SysInfo\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=v)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22KL\.SysInfo\x22|\x27KL\.SysInfo\x27)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=n)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10429 WEB-ACTIVEX Kaspersky AntiVirus SysInfo ActiveX function call access www.kaspersky.com/technews?id=203038694 23325 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"K|00|L|00|.|00|S|00|y|00|s|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)K\x00L\x00.\x00S\x00y\x00s\x00I\x00n\x00f\x00o\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)K\x00L\x00.\x00S\x00y\x00s\x00I\x00n\x00f\x00o\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10430 WEB-ACTIVEX Kaspersky AntiVirus SysInfo ActiveX function call unicode access www.kaspersky.com/technews?id=203038694 23345 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D9EC22E7-1A86-4F7C-8940-0303AE5D6756"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9EC22E7-1A86-4F7C-8940-0303AE5D6756\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9EC22E7-1A86-4F7C-8940-0303AE5D6756\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10431 WEB-ACTIVEX Kaspersky AntiVirus KAV60Info ActiveX clsid access www.kaspersky.com/technews?id=203038693 23345 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|E|00|C|00|2|00|2|00|E|00|7|00|-|00|1|00|A|00|8|00|6|00|-|00|4|00|F|00|7|00|C|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|3|00|0|00|3|00|A|00|E|00|5|00|D|00|6|00|7|00|5|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10432 WEB-ACTIVEX Kaspersky AntiVirus KAV60Info ActiveX clsid unicode access www.kaspersky.com/technews?id=203038693 23345 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AxKLProd60.KAV60Info"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22AxKLProd60\.KAV60Info\x22|\x27AxKLProd60\.KAV60Info\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=v)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AxKLProd60\.KAV60Info\x22|\x27AxKLProd60\.KAV60Info\x27)\s*\)(\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*|.*(?P=n)\s*\.\s*(DeleteFile|StartBatchUploading|StartStrBatchUploading|StartUploading)\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10433 WEB-ACTIVEX Kaspersky AntiVirus KAV60Info ActiveX function call access www.kaspersky.com/technews?id=203038693 23345 attempted-user 2007-1112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|x|00|K|00|L|00|P|00|r|00|o|00|d|00|6|00|0|00|.|00|K|00|A|00|V|00|6|00|0|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00x\x00K\x00L\x00P\x00r\x00o\x00d\x006\x000\x00.\x00K\x00A\x00V\x006\x000\x00I\x00n\x00f\x00o\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00x\x00K\x00L\x00P\x00r\x00o\x00d\x006\x000\x00.\x00K\x00A\x00V\x006\x000\x00I\x00n\x00f\x00o\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10434 WEB-ACTIVEX Kaspersky AntiVirus KAV60Info ActiveX function call unicode access www.kaspersky.com/technews?id=203038693 attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|g|00|e|00|n|00|t|00|.|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x001\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x001\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10465 WEB-ACTIVEX Microsoft Agent v1.5 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS07-020.mspx 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ef8d9f2a-f641-4ef0-b2ec-3ba2be7c2960"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ef8d9f2a-f641-4ef0-b2ec-3ba2be7c2960\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10466 WEB-ACTIVEX iPIX Image Well ActiveX clsid access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|f|00|8|00|d|00|9|00|f|00|2|00|a|00|-|00|f|00|6|00|4|00|1|00|-|00|4|00|e|00|f|00|0|00|-|00|b|00|2|00|e|00|c|00|-|00|3|00|b|00|a|00|2|00|b|00|e|00|7|00|c|00|2|00|9|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10467 WEB-ACTIVEX iPIX Image Well ActiveX clsid unicode access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"iPIX.ImageWell"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10468 WEB-ACTIVEX iPIX Image Well ActiveX function call access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"iPIX.ImageWell"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.ImageWell\x22|\x27iPIX\.ImageWell\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10469 WEB-ACTIVEX iPIX Image Well ActiveX function call access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d04a7099-0c25-4fc7-970f-6ec7d77886f3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d04a7099-0c25-4fc7-970f-6ec7d77886f3\s*}?\s*(?P=q4)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10470 WEB-ACTIVEX iPIX Media Send Class ActiveX clsid access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|0|00|4|00|a|00|7|00|0|00|9|00|9|00|-|00|0|00|c|00|2|00|5|00|-|00|4|00|f|00|c|00|7|00|-|00|9|00|7|00|0|00|f|00|-|00|6|00|e|00|c|00|7|00|d|00|7|00|7|00|8|00|8|00|6|00|f|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q5>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10471 WEB-ACTIVEX iPIX Media Send Class ActiveX clsid unicode access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"iPIX.Rimfire4.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10472 WEB-ACTIVEX iPIX Media Send Class ActiveX function call access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"iPIX.Rimfire4.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPIX\.Rimfire4\.1\x22|\x27iPIX\.Rimfire4\.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10473 WEB-ACTIVEX iPIX Media Send Class ActiveX function call access www.kb.cert.org/vuls/id/958609 23379 attempted-user 2007-1687 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"i|00|P|00|I|00|X|00|.|00|R|00|i|00|m|00|f|00|i|00|r|00|e|00|4|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)i\x00P\x00I\x00X\x00.\x00R\x00i\x00m\x00f\x00i\x00r\x00e\x004\x00.\x001\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)i\x00P\x00I\x00X\x00.\x00R\x00i\x00m\x00f\x00i\x00r\x00e\x004\x00.\x001\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10474 WEB-ACTIVEX iPIX Media Send Class ActiveX function call unicode access www.kb.cert.org/vuls/id/958609 23420 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"798B9483-B7A6-46C1-9F17-C9B9F02EA811"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*798B9483-B7A6-46C1-9F17-C9B9F02EA811\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(MaDecodeData)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*798B9483-B7A6-46C1-9F17-C9B9F02EA811\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(MaDecodeData))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 10476 WEB-ACTIVEX MarkAny MaPrintModule_WORK ActiveX clsid access 23420 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|8|00|B|00|9|00|4|00|8|00|3|00|-|00|B|00|7|00|A|00|6|00|-|00|4|00|6|00|C|00|1|00|-|00|9|00|F|00|1|00|7|00|-|00|C|00|9|00|B|00|9|00|F|00|0|00|2|00|E|00|A|00|8|00|1|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10477 WEB-ACTIVEX MarkAny MaPrintModule_WORK ActiveX clsid unicode access 23420 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MAPRINTMODULEWORK.MaPrintModuleWORKCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x22|\x27MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*MaDecodeData\s*|.*(?P=v)\s*\.\s*MaDecodeData\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x22|\x27MAPRINTMODULEWORK\.MaPrintModuleWORKCtrl\x27)\s*\)(\s*\.\s*MaDecodeData\s*|.*(?P=n)\s*\.\s*MaDecodeData\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10478 WEB-ACTIVEX MarkAny MaPrintModule_WORK ActiveX function call access 23420 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|A|00|P|00|R|00|I|00|N|00|T|00|M|00|O|00|D|00|U|00|L|00|E|00|W|00|O|00|R|00|K|00|.|00|M|00|a|00|P|00|r|00|i|00|n|00|t|00|M|00|o|00|d|00|u|00|l|00|e|00|W|00|O|00|R|00|K|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)M\x00A\x00P\x00R\x00I\x00N\x00T\x00M\x00O\x00D\x00U\x00L\x00E\x00W\x00O\x00R\x00K\x00.\x00M\x00a\x00P\x00r\x00i\x00n\x00t\x00M\x00o\x00d\x00u\x00l\x00e\x00W\x00O\x00R\x00K\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)M\x00A\x00P\x00R\x00I\x00N\x00T\x00M\x00O\x00D\x00U\x00L\x00E\x00W\x00O\x00R\x00K\x00.\x00M\x00a\x00P\x00r\x00i\x00n\x00t\x00M\x00o\x00d\x00u\x00l\x00e\x00W\x00O\x00R\x00K\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10479 WEB-ACTIVEX MarkAny MaPrintModule_WORK ActiveX function call unicode access 23554 attempted-user 2007-1690 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"052DF14F-6F28-44A0-9130-294FDA6176EB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*052DF14F-6F28-44A0-9130-294FDA6176EB\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10978 WEB-ACTIVEX Second Sight Software ActiveGS ActiveX clsid access www.kb.cert.org/vuls/id/118737 23554 attempted-user 2007-1690 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|5|00|2|00|D|00|F|00|1|00|4|00|F|00|-|00|6|00|F|00|2|00|8|00|-|00|4|00|4|00|A|00|0|00|-|00|9|00|1|00|3|00|0|00|-|00|2|00|9|00|4|00|F|00|D|00|A|00|6|00|1|00|7|00|6|00|E|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10979 WEB-ACTIVEX Second Sight Software ActiveGS ActiveX clsid unicode access www.kb.cert.org/vuls/id/118737 23554 attempted-user 2007-1690 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ACTIVEGS.ActiveGSCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ACTIVEGS\.ActiveGSCtrl\x22|\x27ACTIVEGS\.ActiveGSCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ACTIVEGS\.ActiveGSCtrl\x22|\x27ACTIVEGS\.ActiveGSCtrl\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10980 WEB-ACTIVEX Second Sight Software ActiveGS ActiveX function call access www.kb.cert.org/vuls/id/118737 23554 attempted-user 2007-1690 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|C|00|T|00|I|00|V|00|E|00|G|00|S|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|G|00|S|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00G\x00S\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00G\x00S\x00C\x00t\x00r\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00G\x00S\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00G\x00S\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10981 WEB-ACTIVEX Second Sight Software ActiveGS ActiveX function call unicode access www.kb.cert.org/vuls/id/118737 23554 attempted-user 2007-1691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2078D6EC-693C-4FB2-AE7B-A6B8D2BC4DC8"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2078D6EC-693C-4FB2-AE7B-A6B8D2BC4DC8\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10982 WEB-ACTIVEX Second Sight Software ActiveMod ActiveX clsid access www.kb.cert.org/vuls/id/962305 23554 attempted-user 2007-1691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|0|00|7|00|8|00|D|00|6|00|E|00|C|00|-|00|6|00|9|00|3|00|C|00|-|00|4|00|F|00|B|00|2|00|-|00|A|00|E|00|7|00|B|00|-|00|A|00|6|00|B|00|8|00|D|00|2|00|B|00|C|00|4|00|D|00|C|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10983 WEB-ACTIVEX Second Sight Software ActiveMod ActiveX clsid unicode access www.kb.cert.org/vuls/id/962305 23554 attempted-user 2007-1691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ACTIVEMOD.ActiveModCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ACTIVEMOD\.ActiveModCtrl\x22|\x27ACTIVEMOD\.ActiveModCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ACTIVEMOD\.ActiveModCtrl\x22|\x27ACTIVEMOD\.ActiveModCtrl\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10984 WEB-ACTIVEX Second Sight Software ActiveMod ActiveX function call access www.kb.cert.org/vuls/id/962305 23554 attempted-user 2007-1691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|C|00|T|00|I|00|V|00|E|00|M|00|O|00|D|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|M|00|o|00|d|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q7>\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00M\x00O\x00D\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00M\x00o\x00d\x00C\x00t\x00r\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q8>\x22|\x27|)A\x00C\x00T\x00I\x00V\x00E\x00M\x00O\x00D\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00M\x00o\x00d\x00C\x00t\x00r\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10985 WEB-ACTIVEX Second Sight Software ActiveMod ActiveX function call unicode access www.kb.cert.org/vuls/id/962305 23567 attempted-user 2007-0443 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4BAFF02-F907-11D2-8F8F-00C04F4C3B9F\s*}?\s*(?P=q11)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10986 WEB-ACTIVEX GraceNote CDDB ActiveX clsid access www.kb.cert.org/vuls/id/701121 23567 attempted-user 2007-0443 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|4|00|B|00|A|00|F|00|F|00|0|00|2|00|-|00|F|00|9|00|0|00|7|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|F|00|8|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|4|00|C|00|3|00|B|00|9|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q12>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10987 WEB-ACTIVEX GraceNote CDDB ActiveX clsid unicode access www.kb.cert.org/vuls/id/701121 23567 attempted-user 2007-0443 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ClassCDDBControl.CddbSegments"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ClassCDDBControl\.CddbSegments\x22|\x27ClassCDDBControl\.CddbSegments\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ClassCDDBControl\.CddbSegments\x22|\x27ClassCDDBControl\.CddbSegments\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10988 WEB-ACTIVEX GraceNote CDDB ActiveX function call access www.kb.cert.org/vuls/id/701121 23567 attempted-user 2007-0443 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|l|00|a|00|s|00|s|00|C|00|D|00|D|00|B|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|C|00|d|00|d|00|b|00|S|00|e|00|g|00|m|00|e|00|n|00|t|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q13>\x22|\x27|)C\x00l\x00a\x00s\x00s\x00C\x00D\x00D\x00B\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00C\x00d\x00d\x00b\x00S\x00e\x00g\x00m\x00e\x00n\x00t\x00s\x00(?P=q13)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q14>\x22|\x27|)C\x00l\x00a\x00s\x00s\x00C\x00D\x00D\x00B\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00C\x00d\x00d\x00b\x00S\x00e\x00g\x00m\x00e\x00n\x00t\x00s\x00(?P=q14)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10989 WEB-ACTIVEX GraceNote CDDB ActiveX function call unicode access www.kb.cert.org/vuls/id/701121 23595 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AED98630-0251-4E83-917D-43A23D66D507"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AED98630-0251-4E83-917D-43A23D66D507\s*}?\s*(?P=q15)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10991 WEB-ACTIVEX Microgaming Download Helper ActiveX clsid access www.kb.cert.org/vuls/id/184473 23595 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|E|00|D|00|9|00|8|00|6|00|3|00|0|00|-|00|0|00|2|00|5|00|1|00|-|00|4|00|E|00|8|00|3|00|-|00|9|00|1|00|7|00|D|00|-|00|4|00|3|00|A|00|2|00|3|00|D|00|6|00|6|00|D|00|5|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q16>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q16)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 10992 WEB-ACTIVEX Microgaming Download Helper ActiveX clsid unicode access www.kb.cert.org/vuls/id/184473 23595 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DLHelper.WebHandler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DLHelper\.WebHandler\x22|\x27DLHelper\.WebHandler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DLHelper\.WebHandler\x22|\x27DLHelper\.WebHandler\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10993 WEB-ACTIVEX Microgaming Download Helper ActiveX function call access www.kb.cert.org/vuls/id/184473 23595 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|L|00|H|00|e|00|l|00|p|00|e|00|r|00|.|00|W|00|e|00|b|00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q17>\x22|\x27|)D\x00L\x00H\x00e\x00l\x00p\x00e\x00r\x00.\x00W\x00e\x00b\x00H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q18>\x22|\x27|)D\x00L\x00H\x00e\x00l\x00p\x00e\x00r\x00.\x00W\x00e\x00b\x00H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q18)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10994 WEB-ACTIVEX Microgaming Download Helper ActiveX function call unicode access www.kb.cert.org/vuls/id/184473 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"97AF4A45-49BE-4485-9F55-91AB40F22B92"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22B92\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop, policy security-ips alert, service http; classtype:attempted-user; 11176 WEB-ACTIVEX PowerPoint Viewer ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|7|00|A|00|F|00|4|00|A|00|4|00|5|00|-|00|4|00|9|00|B|00|E|00|-|00|4|00|4|00|8|00|5|00|-|00|9|00|F|00|5|00|5|00|-|00|9|00|1|00|A|00|B|00|4|00|0|00|F|00|2|00|2|00|B|00|9|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q21>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x00A\x00F\x004\x00A\x004\x005\x00-\x004\x009\x00B\x00E\x00-\x004\x004\x008\x005\x00-\x009\x00F\x005\x005\x00-\x009\x001\x00A\x00B\x004\x000\x00F\x002\x002\x00B\x009\x002\x00(}\x00)?(?P=q21)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 11177 WEB-ACTIVEX PowerPoint Viewer ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OA.OACtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OA\.OACtrl(\.\d)?\x22|\x27OA\.OACtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OA\.OACtrl(\.\d)?\x22|\x27OA\.OACtrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)\s*\(/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 11178 WEB-ACTIVEX PowerPoint Viewer ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|A|00|.|00|O|00|A|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q22>\x22|\x27|)O\x00A\x00.\x00O\x00A\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q22)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q23>\x22|\x27|)O\x00A\x00.\x00O\x00A\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q23)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 11179 WEB-ACTIVEX PowerPoint Viewer ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-01-powerpointviewerocx-31.html 22558 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DVD_TOOLS.DVD_TOOLSCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DVD_TOOLS\.DVD_TOOLSCtrl\x22|\x27DVD_TOOLS\.DVD_TOOLSCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DVD_TOOLS\.DVD_TOOLSCtrl\x22|\x27DVD_TOOLS\.DVD_TOOLSCtrl\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11197 WEB-ACTIVEX ActiveX Soft DVD Tools ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html 22558 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|V|00|D|00|_|00|T|00|O|00|O|00|L|00|S|00|.|00|D|00|V|00|D|00|_|00|T|00|O|00|O|00|L|00|S|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00.\x00D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00C\x00t\x00r\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00.\x00D\x00V\x00D\x00_\x00T\x00O\x00O\x00L\x00S\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11198 WEB-ACTIVEX ActiveX Soft DVD Tools ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-04-bonus-actsoft-dvd-tools.html 23833 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"995A778F-E846-48DD-94F2-280FDED1AADF"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*995A778F-E846-48DD-94F2-280FDED1AADF\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenDVD)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*995A778F-E846-48DD-94F2-280FDED1AADF\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenDVD))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11206 WEB-ACTIVEX East Wind Software ADVDAUDIO ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html 23833 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|9|00|5|00|A|00|7|00|7|00|8|00|F|00|-|00|E|00|8|00|4|00|6|00|-|00|4|00|8|00|D|00|D|00|-|00|9|00|4|00|F|00|2|00|-|00|2|00|8|00|0|00|F|00|D|00|E|00|D|00|1|00|A|00|A|00|D|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11207 WEB-ACTIVEX East Wind Software ADVDAUDIO ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html 23833 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ADVDAUDIO.ADVDAUDIOCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ADVDAUDIO\.ADVDAUDIOCtrl\x22|\x27ADVDAUDIO\.ADVDAUDIOCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenDVD\s*|.*(?P=v)\s*\.\s*OpenDVD\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ADVDAUDIO\.ADVDAUDIOCtrl\x22|\x27ADVDAUDIO\.ADVDAUDIOCtrl\x27)\s*\)(\s*\.\s*OpenDVD\s*|.*(?P=n)\s*\.\s*OpenDVD\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11208 WEB-ACTIVEX East Wind Software ADVDAUDIO ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html 23833 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|D|00|V|00|D|00|A|00|U|00|D|00|I|00|O|00|.|00|A|00|D|00|V|00|D|00|A|00|U|00|D|00|I|00|O|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00.\x00A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00.\x00A\x00D\x00V\x00D\x00A\x00U\x00D\x00I\x00O\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11209 WEB-ACTIVEX East Wind Software ADVDAUDIO ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-05-east-wind-software.html 23838 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(LockModules|UnlockModule)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(LockModules|UnlockModule))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11210 WEB-ACTIVEX Sienzo Digital Music Mentor ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html 23838 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|2|00|B|00|7|00|D|00|D|00|A|00|9|00|-|00|3|00|8|00|C|00|5|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|1|00|F|00|6|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|D|00|B|00|8|00|F|00|F|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11211 WEB-ACTIVEX Sienzo Digital Music Mentor ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html 23838 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DSKernel.LMDSKernel"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DSKernel\.LMDSKernel\x22|\x27DSKernel\.LMDSKernel\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(LockModules|UnlockModule)\s*|.*(?P=v)\s*\.\s*(LockModules|UnlockModule)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DSKernel\.LMDSKernel\x22|\x27DSKernel\.LMDSKernel\x27)\s*\)(\s*\.\s*(LockModules|UnlockModule)\s*|.*(?P=n)\s*\.\s*(LockModules|UnlockModule)\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11212 WEB-ACTIVEX Sienzo Digital Music Mentor ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html 23838 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|S|00|K|00|e|00|r|00|n|00|e|00|l|00|.|00|L|00|M|00|D|00|S|00|K|00|e|00|r|00|n|00|e|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00.\x00L\x00M\x00D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00.\x00L\x00M\x00D\x00S\x00K\x00e\x00r\x00n\x00e\x00l\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11213 WEB-ACTIVEX Sienzo Digital Music Mentor ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-06-sienzo-digital-music-mentor.html 23853 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"28776DAD-5914-42A7-9139-8FD7C756BBDD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*28776DAD-5914-42A7-9139-8FD7C756BBDD\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(AddFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*28776DAD-5914-42A7-9139-8FD7C756BBDD\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(AddFile))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11214 WEB-ACTIVEX VeralSoft HTTP File Uploader ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html 23853 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|8|00|7|00|7|00|6|00|D|00|A|00|D|00|-|00|5|00|9|00|1|00|4|00|-|00|4|00|2|00|A|00|7|00|-|00|9|00|1|00|3|00|9|00|-|00|8|00|F|00|D|00|7|00|C|00|7|00|5|00|6|00|B|00|B|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q13>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11215 WEB-ACTIVEX VeralSoft HTTP File Uploader ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html 23853 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"UFileUploaderD.FileUploaderD"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22UFileUploaderD\.FileUploaderD\x22|\x27UFileUploaderD\.FileUploaderD\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddFile\s*|.*(?P=v)\s*\.\s*AddFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22UFileUploaderD\.FileUploaderD\x22|\x27UFileUploaderD\.FileUploaderD\x27)\s*\)(\s*\.\s*AddFile\s*|.*(?P=n)\s*\.\s*AddFile\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11216 WEB-ACTIVEX VeralSoft HTTP File Uploader ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html 23853 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"U|00|F|00|i|00|l|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|D|00|.|00|F|00|i|00|l|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|D|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)U\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00.\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q15>\x22|\x27|)U\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00.\x00F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00D\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11217 WEB-ACTIVEX VeralSoft HTTP File Uploader ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-07-versalsoft-http-file-uploader.html 23869 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"62FA83F7-20EC-4D62-AC86-BAB705EE1CCD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62FA83F7-20EC-4D62-AC86-BAB705EE1CCD\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(ConnectAsyncEx)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62FA83F7-20EC-4D62-AC86-BAB705EE1CCD\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(ConnectAsyncEx))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11218 WEB-ACTIVEX SmartCode VNC Manager ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html 23869 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|2|00|F|00|A|00|8|00|3|00|F|00|7|00|-|00|2|00|0|00|E|00|C|00|-|00|4|00|D|00|6|00|2|00|-|00|A|00|C|00|8|00|6|00|-|00|B|00|A|00|B|00|7|00|0|00|5|00|E|00|E|00|1|00|C|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q18>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11219 WEB-ACTIVEX SmartCode VNC Manager ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html 23869 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SmartCode.ViewerX"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22SmartCode\.ViewerX\x22|\x27SmartCode\.ViewerX\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ConnectAsyncEx\s*|.*(?P=v)\s*\.\s*ConnectAsyncEx\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SmartCode\.ViewerX\x22|\x27SmartCode\.ViewerX\x27)\s*\)(\s*\.\s*ConnectAsyncEx\s*|.*(?P=n)\s*\.\s*ConnectAsyncEx\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11220 WEB-ACTIVEX SmartCode VNC Manager ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html 23869 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|m|00|a|00|r|00|t|00|C|00|o|00|d|00|e|00|.|00|V|00|i|00|e|00|w|00|e|00|r|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q19>\x22|\x27|)S\x00m\x00a\x00r\x00t\x00C\x00o\x00d\x00e\x00.\x00V\x00i\x00e\x00w\x00e\x00r\x00X\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q20>\x22|\x27|)S\x00m\x00a\x00r\x00t\x00C\x00o\x00d\x00e\x00.\x00V\x00i\x00e\x00w\x00e\x00r\x00X\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11221 WEB-ACTIVEX SmartCode VNC Manager ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-08-smartcode-vnc-manager-36.html attempted-user 2007-2221 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D4FE6227-1288-11D0-9097-00AA004254A0"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D4FE6227-1288-11D0-9097-00AA004254A0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveAs)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D4FE6227-1288-11D0-9097-00AA004254A0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveAs))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11224 WEB-ACTIVEX MSAuth ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user 2007-2221 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|F|00|E|00|6|00|2|00|2|00|7|00|-|00|1|00|2|00|8|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|0|00|9|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|2|00|5|00|4|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11225 WEB-ACTIVEX MSAuth ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user 2007-2221 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NMSA.SessionDescription"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NMSA\.SessionDescription\x22|\x27NMSA\.SessionDescription\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveAs\s*|.*(?P=v)\s*\.\s*SaveAs\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NMSA\.SessionDescription\x22|\x27NMSA\.SessionDescription\x27)\s*\)(\s*\.\s*SaveAs\s*|.*(?P=n)\s*\.\s*SaveAs\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11226 WEB-ACTIVEX MSAuth ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user 2007-2221 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|M|00|S|00|A|00|.|00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|D|00|e|00|s|00|c|00|r|00|i|00|p|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)N\x00M\x00S\x00A\x00.\x00S\x00e\x00s\x00s\x00i\x00o\x00n\x00D\x00e\x00s\x00c\x00r\x00i\x00p\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)N\x00M\x00S\x00A\x00.\x00S\x00e\x00s\x00s\x00i\x00o\x00n\x00D\x00e\x00s\x00c\x00r\x00i\x00p\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11227 WEB-ACTIVEX MSAuth ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user 2007-0942 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BE4191FB-59EF-4825-AEFC-109727951E42"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE4191FB-59EF-4825-AEFC-109727951E42\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11228 WEB-ACTIVEX Microsoft Input Method Editor 3 ActiveX clsid access www.xsec.org/index.php?module=releases&act=view&type=1&id=9 attempted-user 2007-0942 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|E|00|4|00|1|00|9|00|1|00|F|00|B|00|-|00|5|00|9|00|E|00|F|00|-|00|4|00|8|00|2|00|5|00|-|00|A|00|E|00|F|00|C|00|-|00|1|00|0|00|9|00|7|00|2|00|7|00|9|00|5|00|1|00|E|00|4|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11229 WEB-ACTIVEX Microsoft Input Method Editor 3 ActiveX clsid unicode access www.xsec.org/index.php?module=releases&act=view&type=1&id=9 attempted-user 2007-0940 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"17E3A1C3-EA8A-4970-AF29-7F54610B1D4C"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17E3A1C3-EA8A-4970-AF29-7F54610B1D4C\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11230 WEB-ACTIVEX Microsoft Cryptographic API COM 1 ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-028.mspx attempted-user 2007-0940 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|7|00|E|00|3|00|A|00|1|00|C|00|3|00|-|00|E|00|A|00|8|00|A|00|-|00|4|00|9|00|7|00|0|00|-|00|A|00|F|00|2|00|9|00|-|00|7|00|F|00|5|00|4|00|6|00|1|00|0|00|B|00|1|00|D|00|4|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11231 WEB-ACTIVEX Microsoft Cryptographic API COM 1 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-028.mspx attempted-user 2007-0940 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CAPICOM.Certificates"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CAPICOM\.Certificates\x22|\x27CAPICOM\.Certificates\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CAPICOM\.Certificates\x22|\x27CAPICOM\.Certificates\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11232 WEB-ACTIVEX Microsoft Cryptographic API COM 1 ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-028.mspx attempted-user 2007-0940 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|A|00|P|00|I|00|C|00|O|00|M|00|.|00|C|00|e|00|r|00|t|00|i|00|f|00|i|00|c|00|a|00|t|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)C\x00A\x00P\x00I\x00C\x00O\x00M\x00.\x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)C\x00A\x00P\x00I\x00C\x00O\x00M\x00.\x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11233 WEB-ACTIVEX Microsoft Cryptographic API COM 1 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-028.mspx attempted-user 2007-0940 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FBAB033B-CDD0-4C5E-81AB-AEA575CD1338"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FBAB033B-CDD0-4C5E-81AB-AEA575CD1338\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11234 WEB-ACTIVEX Microsoft Cryptographic API COM 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-028.mspx attempted-user 2007-0940 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|B|00|A|00|B|00|0|00|3|00|3|00|B|00|-|00|C|00|D|00|D|00|0|00|-|00|4|00|C|00|5|00|E|00|-|00|8|00|1|00|A|00|B|00|-|00|A|00|E|00|A|00|5|00|7|00|5|00|C|00|D|00|1|00|3|00|3|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11235 WEB-ACTIVEX Microsoft Cryptographic API COM 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-028.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"42B07B28-2280-4937-B035-0293FB812781"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42B07B28-2280-4937-B035-0293FB812781\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11239 WEB-ACTIVEX DXImageTransform.Microsoft.Redirect ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|B|00|0|00|7|00|B|00|2|00|8|00|-|00|2|00|2|00|8|00|0|00|-|00|4|00|9|00|3|00|7|00|-|00|B|00|0|00|3|00|5|00|-|00|0|00|2|00|9|00|3|00|F|00|B|00|8|00|1|00|2|00|7|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11240 WEB-ACTIVEX DXImageTransform.Microsoft.Redirect ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.Redirect"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXImageTransform\.Microsoft\.Redirect\x22|\x27DXImageTransform\.Microsoft\.Redirect\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXImageTransform\.Microsoft\.Redirect\x22|\x27DXImageTransform\.Microsoft\.Redirect\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11241 WEB-ACTIVEX DXImageTransform.Microsoft.Redirect ActiveX function call access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|X|00|I|00|m|00|a|00|g|00|e|00|T|00|r|00|a|00|n|00|s|00|f|00|o|00|r|00|m|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|R|00|e|00|d|00|i|00|r|00|e|00|c|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00R\x00e\x00d\x00i\x00r\x00e\x00c\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00R\x00e\x00d\x00i\x00r\x00e\x00c\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11242 WEB-ACTIVEX DXImageTransform.Microsoft.Redirect ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"542FB453-5003-11CF-92A2-00AA00B8A733"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*542FB453-5003-11CF-92A2-00AA00B8A733\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11243 WEB-ACTIVEX DirectAnimation.DAstatics ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|4|00|2|00|F|00|B|00|4|00|5|00|3|00|-|00|5|00|0|00|0|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|2|00|A|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|8|00|A|00|7|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11244 WEB-ACTIVEX DirectAnimation.DAstatics ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAstatics"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DirectAnimation\.DAstatics\x22|\x27DirectAnimation\.DAstatics\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DirectAnimation\.DAstatics\x22|\x27DirectAnimation\.DAstatics\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11245 WEB-ACTIVEX DirectAnimation.DAstatics ActiveX function call access www.microsoft.com/technet/security/bulletin/ms06-013.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|i|00|r|00|e|00|c|00|t|00|A|00|n|00|i|00|m|00|a|00|t|00|i|00|o|00|n|00|.|00|D|00|A|00|s|00|t|00|a|00|t|00|i|00|c|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00.\x00D\x00A\x00s\x00t\x00a\x00t\x00i\x00c\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00.\x00D\x00A\x00s\x00t\x00a\x00t\x00i\x00c\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11246 WEB-ACTIVEX DirectAnimation.DAstatics ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms06-013.mspx 23331 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1D95A7C7-3282-4DB7-9A48-7C39CE152A19"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1D95A7C7-3282-4DB7-9A48-7C39CE152A19\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11247 WEB-ACTIVEX Research In Motion TeamOn Import ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-027.mspx 23331 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|D|00|9|00|5|00|A|00|7|00|C|00|7|00|-|00|3|00|2|00|8|00|2|00|-|00|4|00|D|00|B|00|7|00|-|00|9|00|A|00|4|00|8|00|-|00|7|00|C|00|3|00|9|00|C|00|E|00|1|00|5|00|2|00|A|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11248 WEB-ACTIVEX Research In Motion TeamOn Import ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|e|00|0|00|1|00|1|00|5|00|9|00|0|00|-|00|0|00|5|00|3|00|1|00|-|00|4|00|8|00|0|00|4|00|-|00|9|00|c|00|9|00|c|00|-|00|3|00|f|00|e|00|d|00|c|00|7|00|e|00|6|00|e|00|5|00|c|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11249 WEB-ACTIVEX IE Address ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms05-054.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4EA7C4C5-C5C0-4F5C-A008-8293505F71CC\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11250 WEB-ACTIVEX Sony Rootkit Uninstaller ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms05-054.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|E|00|A|00|7|00|C|00|4|00|C|00|5|00|-|00|C|00|5|00|C|00|0|00|-|00|4|00|F|00|5|00|C|00|-|00|A|00|0|00|0|00|8|00|-|00|8|00|2|00|9|00|3|00|5|00|0|00|5|00|F|00|7|00|1|00|C|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11251 WEB-ACTIVEX Sony Rootkit Uninstaller ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms05-054.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"de011590-0531-4804-9c9c-3fedc7e6e5c8"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*de011590-0531-4804-9c9c-3fedc7e6e5c8\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11252 WEB-ACTIVEX IE Address ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms05-054.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*288F1523-FAC4-11CE-B16F-00AA0060D93D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Filename)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*288F1523-FAC4-11CE-B16F-00AA0060D93D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Filename))\s*=/si"; metadata:policy security-ips drop; classtype:attempted-user; 11253 WEB-ACTIVEX Microsoft MciWndx ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|8|00|8|00|F|00|1|00|5|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|1|00|6|00|F|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|D|00|9|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11254 WEB-ACTIVEX Microsoft MciWndx ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MCIWNDX.MCIWndXCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22MCIWNDX\.MCIWndXCtrl\x22|\x27MCIWNDX\.MCIWndXCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Filename\s*|.*(?P=v)\s*\.\s*Filename\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MCIWNDX\.MCIWndXCtrl\x22|\x27MCIWNDX\.MCIWndXCtrl\x27)\s*\)(\s*\.\s*Filename\s*|.*(?P=n)\s*\.\s*Filename)\s*=/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11255 WEB-ACTIVEX Microsoft MciWndx ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|C|00|I|00|W|00|N|00|D|00|X|00|.|00|M|00|C|00|I|00|W|00|n|00|d|00|X|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)M\x00C\x00I\x00W\x00N\x00D\x00X\x00.\x00M\x00C\x00I\x00W\x00n\x00d\x00X\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)M\x00C\x00I\x00W\x00N\x00D\x00X\x00.\x00M\x00C\x00I\x00W\x00n\x00d\x00X\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11256 WEB-ACTIVEX Microsoft MciWndx ActiveX function call unicode access 23891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Verify)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Verify))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11259 WEB-ACTIVEX BarcodeWiz ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html 23891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|D|00|3|00|B|00|0|00|9|00|F|00|1|00|-|00|2|00|6|00|F|00|B|00|-|00|4|00|1|00|C|00|D|00|-|00|B|00|3|00|F|00|2|00|-|00|E|00|1|00|7|00|8|00|D|00|F|00|D|00|3|00|B|00|C|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11260 WEB-ACTIVEX BarcodeWiz ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html 23891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BarcodeWiz.BarcodeWiz"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BarcodeWiz\.BarcodeWiz\x22|\x27BarcodeWiz\.BarcodeWiz\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Verify\s*|.*(?P=v)\s*\.\s*Verify\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BarcodeWiz\.BarcodeWiz\x22|\x27BarcodeWiz\.BarcodeWiz\x27)\s*\)(\s*\.\s*Verify\s*|.*(?P=n)\s*\.\s*Verify\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11261 WEB-ACTIVEX BarcodeWiz ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html 23891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|a|00|r|00|c|00|o|00|d|00|e|00|W|00|i|00|z|00|.|00|B|00|a|00|r|00|c|00|o|00|d|00|e|00|W|00|i|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00.\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00.\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00W\x00i\x00z\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11262 WEB-ACTIVEX BarcodeWiz ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-09-barcodewiz-activex-control-20.html 23822 attempted-user 2006-3456 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"085ABFE2-D753-445C-8A2A-D4BD46CE0811"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*085ABFE2-D753-445C-8A2A-D4BD46CE0811\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11268 WEB-ACTIVEX Symantec Norton AntiVirus ActiveX clsid access www.symantec.com/avcenter/security/Content/2007.05.09.html 23822 attempted-user 2006-3456 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|8|00|5|00|A|00|B|00|F|00|E|00|2|00|-|00|D|00|7|00|5|00|3|00|-|00|4|00|4|00|5|00|C|00|-|00|8|00|A|00|2|00|A|00|-|00|D|00|4|00|B|00|D|00|4|00|6|00|C|00|E|00|0|00|8|00|1|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11269 WEB-ACTIVEX Symantec Norton AntiVirus ActiveX clsid unicode access www.symantec.com/avcenter/security/Content/2007.05.09.html 23822 attempted-user 2006-3456 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Symantec.Norton.AntiVirus.NAVOptions"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Symantec\.Norton\.AntiVirus\.NAVOptions\x22|\x27Symantec\.Norton\.AntiVirus\.NAVOptions\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Symantec\.Norton\.AntiVirus\.NAVOptions\x22|\x27Symantec\.Norton\.AntiVirus\.NAVOptions\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11270 WEB-ACTIVEX Symantec Norton AntiVirus ActiveX function call access www.symantec.com/avcenter/security/Content/2007.05.09.html 23822 attempted-user 2006-3456 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|02|y|00|m|00|a|00|n|00|t|00|e|00|c|00|.|00|N|00|o|00|r|00|t|00|o|00|n|00|.|00|A|00|n|00|t|00|i|00|V|00|i|00|r|00|u|00|s|00|.|00|N|00|A|00|V|00|O|00|p|00|t|00|i|00|o|00|n|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)S\x00y\x00m\x00a\x00n\x00t\x00e\x00c\x00.\x00N\x00o\x00r\x00t\x00o\x00n\x00.\x00A\x00n\x00t\x00i\x00V\x00i\x00r\x00u\x00s\x00.\x00N\x00A\x00V\x00O\x00p\x00t\x00i\x00o\x00n\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)S\x00y\x00m\x00a\x00n\x00t\x00e\x00c\x00.\x00N\x00o\x00r\x00t\x00o\x00n\x00.\x00A\x00n\x00t\x00i\x00V\x00i\x00r\x00u\x00s\x00.\x00N\x00A\x00V\x00O\x00p\x00t\x00i\x00o\x00n\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11271 WEB-ACTIVEX Symantec Norton AntiVirus ActiveX function call unicode access www.symantec.com/avcenter/security/Content/2007.05.09.html 23914 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2A515FCD-C0E9-4F38-9C77-2949514366F2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A515FCD-C0E9-4F38-9C77-2949514366F2\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11274 WEB-ACTIVEX RControl ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-10-rcontroldll-v-1210-denial-of.html 23914 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|A|00|5|00|1|00|5|00|F|00|C|00|D|00|-|00|C|00|0|00|E|00|9|00|-|00|4|00|F|00|3|00|8|00|-|00|9|00|C|00|7|00|7|00|-|00|2|00|9|00|4|00|9|00|5|00|1|00|4|00|3|00|6|00|6|00|F|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11275 WEB-ACTIVEX RControl ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-10-rcontroldll-v-1210-denial-of.html 23907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SetInputFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2225E9BC-AFB3-4ED4-B20E-4F6CF1C39F8B\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetInputFile))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11276 WEB-ACTIVEX GDivX Zenith Player AVI Fixer ActiveX clsid access 23907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|2|00|5|00|E|00|9|00|B|00|C|00|-|00|A|00|F|00|B|00|3|00|-|00|4|00|E|00|D|00|4|00|-|00|B|00|2|00|0|00|E|00|-|00|4|00|F|00|6|00|C|00|F|00|1|00|C|00|3|00|9|00|F|00|8|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q5>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11277 WEB-ACTIVEX GDivX Zenith Player AVI Fixer ActiveX clsid unicode access 23907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AviFix.AviFixer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22AviFix\.AviFixer\x22|\x27AviFix\.AviFixer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetInputFile\s*|.*(?P=v)\s*\.\s*SetInputFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AviFix\.AviFixer\x22|\x27AviFix\.AviFixer\x27)\s*\)(\s*\.\s*SetInputFile\s*|.*(?P=n)\s*\.\s*SetInputFile\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11278 WEB-ACTIVEX GDivX Zenith Player AVI Fixer ActiveX function call access 23907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|v|00|i|00|F|00|i|00|x|00|.|00|A|00|v|00|i|00|F|00|i|00|x|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q6>\x22|\x27|)A\x00v\x00i\x00F\x00i\x00x\x00.\x00A\x00v\x00i\x00F\x00i\x00x\x00e\x00r\x00(?P=q6)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q7>\x22|\x27|)A\x00v\x00i\x00F\x00i\x00x\x00.\x00A\x00v\x00i\x00F\x00i\x00x\x00e\x00r\x00(?P=q7)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11279 WEB-ACTIVEX GDivX Zenith Player AVI Fixer ActiveX function call unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"584B432E-E0BD-4A78-BD77-665591DA84BB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q8>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*584B432E-E0BD-4A78-BD77-665591DA84BB\s*}?\s*(?P=q8)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11280 WEB-ACTIVEX FlexLabel ActiveX clsid access www.securityfocus.com/archive/1/468070 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|8|00|4|00|B|00|4|00|3|00|2|00|E|00|-|00|E|00|0|00|B|00|D|00|-|00|4|00|A|00|7|00|8|00|-|00|B|00|D|00|7|00|7|00|-|00|6|00|6|00|5|00|5|00|9|00|1|00|D|00|A|00|8|00|4|00|B|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q9>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q9)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11281 WEB-ACTIVEX FlexLabel ActiveX clsid unicode access www.securityfocus.com/archive/1/468070 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FlexLabelControl.FlexLabel"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22FlexLabelControl\.FlexLabel\x22|\x27FlexLabelControl\.FlexLabel\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FlexLabelControl\.FlexLabel\x22|\x27FlexLabelControl\.FlexLabel\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11282 WEB-ACTIVEX FlexLabel ActiveX function call access www.securityfocus.com/archive/1/468070 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|l|00|e|00|x|00|L|00|a|00|b|00|e|00|l|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|F|00|l|00|e|00|x|00|L|00|a|00|b|00|e|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q10>\x22|\x27|)F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00(?P=q10)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q11>\x22|\x27|)F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00F\x00l\x00e\x00x\x00L\x00a\x00b\x00e\x00l\x00(?P=q11)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11283 WEB-ACTIVEX FlexLabel ActiveX function call unicode access www.securityfocus.com/archive/1/468070 23900 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BE604333-B029-44E6-8367-1566B0AD7084"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE604333-B029-44E6-8367-1566B0AD7084\s*}?\s*(?P=q12)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11284 WEB-ACTIVEX AudioCDRipper ActiveX clsid access 23900 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|E|00|6|00|0|00|4|00|3|00|3|00|3|00|-|00|B|00|0|00|2|00|9|00|-|00|4|00|4|00|E|00|6|00|-|00|8|00|3|00|6|00|7|00|-|00|1|00|5|00|6|00|6|00|B|00|0|00|A|00|D|00|7|00|0|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q13>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11285 WEB-ACTIVEX AudioCDRipper ActiveX clsid unicode access 23900 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Audio_CD_Ripper_OCX.cAudioCDRipper"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Audio_CD_Ripper_OCX\.cAudioCDRipper\x22|\x27Audio_CD_Ripper_OCX\.cAudioCDRipper\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Audio_CD_Ripper_OCX\.cAudioCDRipper\x22|\x27Audio_CD_Ripper_OCX\.cAudioCDRipper\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11286 WEB-ACTIVEX AudioCDRipper ActiveX function call access 23900 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|u|00|d|00|i|00|o|00|_|00|C|00|D|00|_|00|R|00|i|00|p|00|p|00|e|00|r|00|_|00|O|00|C|00|X|00|.|00|c|00|A|00|u|00|d|00|i|00|o|00|C|00|D|00|R|00|i|00|p|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)A\x00u\x00d\x00i\x00o\x00_\x00C\x00D\x00_\x00R\x00i\x00p\x00p\x00e\x00r\x00_\x00O\x00C\x00X\x00.\x00c\x00A\x00u\x00d\x00i\x00o\x00C\x00D\x00R\x00i\x00p\x00p\x00e\x00r\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q15>\x22|\x27|)A\x00u\x00d\x00i\x00o\x00_\x00C\x00D\x00_\x00R\x00i\x00p\x00p\x00e\x00r\x00_\x00O\x00C\x00X\x00.\x00c\x00A\x00u\x00d\x00i\x00o\x00C\x00D\x00R\x00i\x00p\x00p\x00e\x00r\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11287 WEB-ACTIVEX AudioCDRipper ActiveX function call unicode access 24793 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BA726BF9-ED2F-461B-9447-CD5C7D66CE8D"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA726BF9-ED2F-461B-9447-CD5C7D66CE8D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteProfile|SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA726BF9-ED2F-461B-9447-CD5C7D66CE8D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteProfile|SaveToFile))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11291 WEB-ACTIVEX Hewlett Packard HPQVWOCX.DL ActiveX clsid access 24793 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|A|00|7|00|2|00|6|00|B|00|F|00|9|00|-|00|E|00|D|00|2|00|F|00|-|00|4|00|6|00|1|00|B|00|-|00|9|00|4|00|4|00|7|00|-|00|C|00|D|00|5|00|C|00|7|00|D|00|6|00|6|00|C|00|E|00|8|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11292 WEB-ACTIVEX Hewlett Packard HPQVWOCX.DL ActiveX clsid unicode access 23954 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0C3874AA-AB39-4B5E-A768-45F3CE6C6819"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C3874AA-AB39-4B5E-A768-45F3CE6C6819\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SaveEnhWMF)|<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C3874AA-AB39-4B5E-A768-45F3CE6C6819\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveEnhWMF))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11293 WEB-ACTIVEX IDAutomation Linear Bar Code ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html 23954 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|C|00|3|00|8|00|7|00|4|00|A|00|A|00|-|00|A|00|B|00|3|00|9|00|-|00|4|00|B|00|5|00|E|00|-|00|A|00|7|00|6|00|8|00|-|00|4|00|5|00|F|00|3|00|C|00|E|00|6|00|C|00|6|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q5>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11294 WEB-ACTIVEX IDAutomation Linear Bar Code ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html 23954 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IDAuto.BarCode"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22IDAuto\.BarCode\x22|\x27IDAuto\.BarCode\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveEnhWMF\s*|.*(?P=v)\s*\.\s*SaveEnhWMF\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IDAuto\.BarCode\x22|\x27IDAuto\.BarCode\x27)\s*\)(\s*\.\s*SaveEnhWMF\s*|.*(?P=n)\s*\.\s*SaveEnhWMF\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11295 WEB-ACTIVEX IDAutomation Linear Bar Code ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html 23954 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|D|00|A|00|u|00|t|00|o|00|.|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q6>\x22|\x27|)I\x00D\x00A\x00u\x00t\x00o\x00.\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00(?P=q6)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q7>\x22|\x27|)I\x00D\x00A\x00u\x00t\x00o\x00.\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00(?P=q7)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11296 WEB-ACTIVEX IDAutomation Linear Bar Code ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-13-id-automation-linear-barcode.html 23969 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"24E0CD64-A8DE-4BE4-9706-4CFC89D212C9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q8>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24E0CD64-A8DE-4BE4-9706-4CFC89D212C9\s*}?\s*(?P=q8)(\s|>).*(?P=id1)\s*\.\s*(ConnectToDatabase)|<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24E0CD64-A8DE-4BE4-9706-4CFC89D212C9\s*}?\s*(?P=q9)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ConnectToDatabase))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11297 WEB-ACTIVEX Clever Database Comparer ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html 23969 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|4|00|E|00|0|00|C|00|D|00|6|00|4|00|-|00|A|00|8|00|D|00|E|00|-|00|4|00|B|00|E|00|4|00|-|00|9|00|7|00|0|00|6|00|-|00|4|00|C|00|F|00|C|00|8|00|9|00|D|00|2|00|1|00|2|00|C|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q10>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11298 WEB-ACTIVEX Clever Database Comparer ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html 23969 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"comparerax.IBDBExtract"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22comparerax\.IBDBExtract\x22|\x27comparerax\.IBDBExtract\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ConnectToDatabase\s*|.*(?P=v)\s*\.\s*ConnectToDatabase\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22comparerax\.IBDBExtract\x22|\x27comparerax\.IBDBExtract\x27)\s*\)(\s*\.\s*ConnectToDatabase\s*|.*(?P=n)\s*\.\s*ConnectToDatabase\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11299 WEB-ACTIVEX Clever Database Comparer ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html 23969 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c|00|o|00|m|00|p|00|a|00|r|00|e|00|r|00|a|00|x|00|.|00|I|00|B|00|D|00|B|00|E|00|x|00|t|00|r|00|a|00|c|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q11>\x22|\x27|)c\x00o\x00m\x00p\x00a\x00r\x00e\x00r\x00a\x00x\x00.\x00I\x00B\x00D\x00B\x00E\x00x\x00t\x00r\x00a\x00c\x00t\x00(?P=q11)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q12>\x22|\x27|)c\x00o\x00m\x00p\x00a\x00r\x00e\x00r\x00a\x00x\x00.\x00I\x00B\x00D\x00B\x00E\x00x\x00t\x00r\x00a\x00c\x00t\x00(?P=q12)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11300 WEB-ACTIVEX Clever Database Comparer ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-14-clever-database-comparer.html 23986 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"90403303-EF21-4771-A41A-651089892EDD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90403303-EF21-4771-A41A-651089892EDD\s*}?\s*(?P=q13)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90403303-EF21-4771-A41A-651089892EDD\s*}?\s*(?P=q14)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 11301 WEB-ACTIVEX DB Software Laboratory DeWizardX ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-027.mspx 23986 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|0|00|4|00|0|00|3|00|3|00|0|00|3|00|-|00|E|00|F|00|2|00|1|00|-|00|4|00|7|00|7|00|1|00|-|00|A|00|4|00|1|00|A|00|-|00|6|00|5|00|1|00|0|00|8|00|9|00|8|00|9|00|2|00|E|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q15>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11302 WEB-ACTIVEX DB Software Laboratory DeWizardX ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-027.mspx 23986 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DEWizardAX.DEWizardX"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DEWizardAX\.DEWizardX\x22|\x27DEWizardAX\.DEWizardX\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=v)\s*\.\s*SaveToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DEWizardAX\.DEWizardX\x22|\x27DEWizardAX\.DEWizardX\x27)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=n)\s*\.\s*SaveToFile\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11303 WEB-ACTIVEX DB Software Laboratory DeWizardX ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-027.mspx 23986 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|E|00|W|00|i|00|z|00|a|00|r|00|d|00|A|00|X|00|.|00|D|00|E|00|W|00|i|00|z|00|a|00|r|00|d|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q16>\x22|\x27|)D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00A\x00X\x00.\x00D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00X\x00(?P=q16)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q17>\x22|\x27|)D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00A\x00X\x00.\x00D\x00E\x00W\x00i\x00z\x00a\x00r\x00d\x00X\x00(?P=q17)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11304 WEB-ACTIVEX DB Software Laboratory DeWizardX ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user 2007-0942 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ID2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ID2\x22|\x27ID2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ID2\x22|\x27ID2\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11324 WEB-ACTIVEX Microsoft Input Method Editor 3 ActiveX function call access www.xsec.org/index.php?module=releases&act=view&type=1&id=9 attempted-user 2007-0942 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|D|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)I\x00D\x002\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)I\x00D\x002\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11325 WEB-ACTIVEX Microsoft Input Method Editor 3 ActiveX function call unicode access www.xsec.org/index.php?module=releases&act=view&type=1&id=9 23866 attempted-admin 2007-2508 tcp $EXTERNAL_NET any -> $HOME_NET 3628 flow:to_server,established; content:"|00|"; content:"|00 00 14 00 1F 00|"; within:6; distance:20; isdataat:100,relative; content:!"|00 00|"; within:96; distance:4; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 11618 EXPLOIT Trend Micro ServerProtect EarthAgent DCE-RPC Stack overflow 24341 attempted-user 2007-3147 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DCE2F8B1-A520-11D4-8FD0-00D0B7730277"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DCE2F8B1-A520-11D4-8FD0-00D0B7730277\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(server)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DCE2F8B1-A520-11D4-8FD0-00D0B7730277\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(server))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 11822 WEB-ACTIVEX Yahoo Webcam Upload ActiveX clsid access 24341 attempted-user 2007-3147 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|C|00|E|00|2|00|F|00|8|00|B|00|1|00|-|00|A|00|5|00|2|00|0|00|-|00|1|00|1|00|D|00|4|00|-|00|8|00|F|00|D|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|7|00|3|00|0|00|2|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 11823 WEB-ACTIVEX Yahoo Webcam Upload ActiveX clsid unicode access 24341 attempted-user 2007-3147 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YWcUpl.WcUpload"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YWcUpl\.WcUpload\x22|\x27YWcUpl\.WcUpload\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*server\s*|.*(?P=v)\s*\.\s*server\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YWcUpl\.WcUpload\x22|\x27YWcUpl\.WcUpload\x27)\s*\)(\s*\.\s*server\s*|.*(?P=n)\s*\.\s*server)\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 11824 WEB-ACTIVEX Yahoo Webcam Upload ActiveX function call access 24341 attempted-user 2007-3147 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|W|00|c|00|U|00|p|00|l|00|.|00|W|00|c|00|U|00|p|00|l|00|o|00|a|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)Y\x00W\x00c\x00U\x00p\x00l\x00.\x00W\x00c\x00U\x00p\x00l\x00o\x00a\x00d\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)Y\x00W\x00c\x00U\x00p\x00l\x00.\x00W\x00c\x00U\x00p\x00l\x00o\x00a\x00d\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 11825 WEB-ACTIVEX Yahoo Webcam Upload ActiveX function call unicode access 24596 attempted-user 2007-3435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C26D9CA8-6747-11D5-AD4B-C01857C10000"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BeginPrint)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(BeginPrint))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12010 WEB-ACTIVEX RKD Software BarCode ActiveX clsid access 24596 attempted-user 2007-3435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|2|00|6|00|D|00|9|00|C|00|A|00|8|00|-|00|6|00|7|00|4|00|7|00|-|00|1|00|1|00|D|00|5|00|-|00|A|00|D|00|4|00|B|00|-|00|C|00|0|00|1|00|8|00|5|00|7|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12011 WEB-ACTIVEX RKD Software BarCode ActiveX clsid unicode access 24596 attempted-user 2007-3435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ABarCode.ActiveBC"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ABarCode\.ActiveBC\x22|\x27ABarCode\.ActiveBC\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BeginPrint\s*|.*(?P=v)\s*\.\s*BeginPrint\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ABarCode\.ActiveBC\x22|\x27ABarCode\.ActiveBC\x27)\s*\)(\s*\.\s*BeginPrint\s*|.*(?P=n)\s*\.\s*BeginPrint\s*)\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12012 WEB-ACTIVEX RKD Software BarCode ActiveX function call access 24596 attempted-user 2007-3435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|B|00|C|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00C\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00C\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12013 WEB-ACTIVEX RKD Software BarCode ActiveX function call unicode access attempted-admin 2007-0040 tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] flow:to_server,established; content:"0"; depth:1; content:"|66 84|"; within:12; byte_test:4,>,0x0F0000,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 12069 EXPLOIT Microsoft Windows Active Directory Crafted LDAP ModifyRequest www.microsoft.com/technet/security/Bulletin/MS07-039.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 443 flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_RPCdetection; flowbits:noalert; classtype:trojan-activity; 12144 BACKDOOR access remote pc runtime detection - rpc setup 24653 rpc-portmap-decode 2007-2798 tcp $EXTERNAL_NET any -> $HOME_NET [749,1024:] flow:established,to_server; content:"|00 00 08|@"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 12187 RPC portmap 2112 tcp rename_principal attempt web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt 24653 rpc-portmap-decode 2007-2798 udp $EXTERNAL_NET any -> $HOME_NET [749,1024:] flow:to_server; content:"|00 00 08|@"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 12188 RPC portmap 2112 udp rename_principal attempt web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt attempted-user 2008-1442 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"substringData"; nocase; pcre:"/\w+\.substringData\([^\),]+,\s*(\d{4,}|25[7-9]|2[6-9][0-9]|[3-9][0-9]{2}|0x0*([1-9a-f][1-9a-f]{3,}|[2-9a-f][0-9a-f]{2}|1([0-9a-f][0-9a-f]|0[1-9a-f])))/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12279 WEB-CLIENT Microsoft XML substringData integer overflow attempt www.microsoft.com/technet/security/Bulletin/MS08-031.mspx 25395 protocol-command-decode 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|08 05 03 00|"; within:4; byte_test:4,>,528,0,little,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12307 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt 25395 protocol-command-decode 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|00 1F 00|"; within:3; distance:1; byte_test:4,>,512,0,little,relative; content:"|05 00 00|"; metadata:policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12317 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt 25395 protocol-command-decode 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|0C 01 03 00|"; within:4; byte_test:4,>,512,0,little,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12326 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt 25395 protocol-command-decode 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"D|00 03 00|"; within:4; byte_test:4,>,520,0,little,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12332 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt 25395 attempted-admin 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; pcre:"/^(\x10|\x0d)/Rs"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,little,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 12335 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt 25395 protocol-command-decode 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"0|00 0A 00|"; within:4; byte_test:4,>,260,0,little,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12341 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt 25395 protocol-command-decode 2007-4218 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|10 00 0A 00|"; within:4; byte_test:4,>,520,0,little,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12347 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt 1163 attempted-recon 2000-0347 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-recon; 1239 NETBIOS RFParalyze Attempt 10392 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF9DEB90-8DE3-11D5-BAE4-00105AAAFF94\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12393 WEB-ACTIVEX Intuit QuickBooks Online Edition 1 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|9|00|D|00|E|00|B|00|9|00|0|00|-|00|8|00|D|00|E|00|3|00|-|00|1|00|1|00|D|00|5|00|-|00|B|00|A|00|E|00|4|00|-|00|0|00|0|00|1|00|0|00|5|00|A|00|A|00|A|00|F|00|F|00|9|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12394 WEB-ACTIVEX Intuit QuickBooks Online Edition 1 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4F720B9C-24B1-4948-A035-8853DC01F19E"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4F720B9C-24B1-4948-A035-8853DC01F19E\s*}?\s*(?P=q7)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q8>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4F720B9C-24B1-4948-A035-8853DC01F19E\s*}?\s*(?P=q8)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12395 WEB-ACTIVEX Intuit QuickBooks Online Edition 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|F|00|7|00|2|00|0|00|B|00|9|00|C|00|-|00|2|00|4|00|B|00|1|00|-|00|4|00|9|00|4|00|8|00|-|00|A|00|0|00|3|00|5|00|-|00|8|00|8|00|5|00|3|00|D|00|C|00|0|00|1|00|F|00|1|00|9|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q9>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q9)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12396 WEB-ACTIVEX Intuit QuickBooks Online Edition 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2EFF8C97-F2A8-4395-9F47-9A06F998BF88"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2EFF8C97-F2A8-4395-9F47-9A06F998BF88\s*}?\s*(?P=q10)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2EFF8C97-F2A8-4395-9F47-9A06F998BF88\s*}?\s*(?P=q11)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12397 WEB-ACTIVEX Intuit QuickBooks Online Edition 3 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|E|00|F|00|F|00|8|00|C|00|9|00|7|00|-|00|F|00|2|00|A|00|8|00|-|00|4|00|3|00|9|00|5|00|-|00|9|00|F|00|4|00|7|00|-|00|9|00|A|00|0|00|6|00|F|00|9|00|9|00|8|00|B|00|F|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q12>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12398 WEB-ACTIVEX Intuit QuickBooks Online Edition 3 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2CC3D8DE-18BF-43ff-8CB8-21B442300FD5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CC3D8DE-18BF-43ff-8CB8-21B442300FD5\s*}?\s*(?P=q13)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CC3D8DE-18BF-43ff-8CB8-21B442300FD5\s*}?\s*(?P=q14)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12399 WEB-ACTIVEX Intuit QuickBooks Online Edition 4 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|C|00|C|00|3|00|D|00|8|00|D|00|E|00|-|00|1|00|8|00|B|00|F|00|-|00|4|00|3|00|f|00|f|00|-|00|8|00|C|00|B|00|8|00|-|00|2|00|1|00|B|00|4|00|4|00|2|00|3|00|0|00|0|00|F|00|D|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q15>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12400 WEB-ACTIVEX Intuit QuickBooks Online Edition 4 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DBB177CC-6908-4b53-9BEE-F1C697818D65"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DBB177CC-6908-4b53-9BEE-F1C697818D65\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DBB177CC-6908-4b53-9BEE-F1C697818D65\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12401 WEB-ACTIVEX Intuit QuickBooks Online Edition 5 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|B|00|B|00|1|00|7|00|7|00|C|00|C|00|-|00|6|00|9|00|0|00|8|00|-|00|4|00|b|00|5|00|3|00|-|00|9|00|B|00|E|00|E|00|-|00|F|00|1|00|C|00|6|00|9|00|7|00|8|00|1|00|8|00|D|00|6|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q18>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12402 WEB-ACTIVEX Intuit QuickBooks Online Edition 5 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A80D199B-CFDD-4da4-8C47-2310D5B8DD97"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A80D199B-CFDD-4da4-8C47-2310D5B8DD97\s*}?\s*(?P=q19)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A80D199B-CFDD-4da4-8C47-2310D5B8DD97\s*}?\s*(?P=q20)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12403 WEB-ACTIVEX Intuit QuickBooks Online Edition 6 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|8|00|0|00|D|00|1|00|9|00|9|00|B|00|-|00|C|00|F|00|D|00|D|00|-|00|4|00|d|00|a|00|4|00|-|00|8|00|C|00|4|00|7|00|-|00|2|00|3|00|1|00|0|00|D|00|5|00|B|00|8|00|D|00|D|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q21>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q21)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12404 WEB-ACTIVEX Intuit QuickBooks Online Edition 6 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0D3983A9-4E29-4f33-8313-DA22B29D3F87"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m15>\x22|\x27|)(?P<id1>.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D3983A9-4E29-4f33-8313-DA22B29D3F87\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0D3983A9-4E29-4f33-8313-DA22B29D3F87\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m16>\x22|\x27|)(?P<id2>.+?)(?P=m16)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12405 WEB-ACTIVEX Intuit QuickBooks Online Edition 7 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|D|00|3|00|9|00|8|00|3|00|A|00|9|00|-|00|4|00|E|00|2|00|9|00|-|00|4|00|f|00|3|00|3|00|-|00|8|00|3|00|1|00|3|00|-|00|D|00|A|00|2|00|2|00|B|00|2|00|9|00|D|00|3|00|F|00|8|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q24>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q24)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12406 WEB-ACTIVEX Intuit QuickBooks Online Edition 7 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D92D7607-05D9-4dd8-B68B-D458948FB883"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m17>\x22|\x27|)(?P<id1>.+?)(?P=m17)(\s|>)[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D92D7607-05D9-4dd8-B68B-D458948FB883\s*}?\s*(?P=q25)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q26>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D92D7607-05D9-4dd8-B68B-D458948FB883\s*}?\s*(?P=q26)(\s|>)[^>]*\s*id\s*=\s*(?P<m18>\x22|\x27|)(?P<id2>.+?)(?P=m18)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12407 WEB-ACTIVEX Intuit QuickBooks Online Edition 8 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|2|00|D|00|7|00|6|00|0|00|7|00|-|00|0|00|5|00|D|00|9|00|-|00|4|00|d|00|d|00|8|00|-|00|B|00|6|00|8|00|B|00|-|00|D|00|4|00|5|00|8|00|9|00|4|00|8|00|F|00|B|00|8|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q27>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q27)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12408 WEB-ACTIVEX Intuit QuickBooks Online Edition 8 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8CE3BAE6-AB66-40b6-9019-41E5282FF1E2"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m19>\x22|\x27|)(?P<id1>.+?)(?P=m19)(\s|>)[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8CE3BAE6-AB66-40b6-9019-41E5282FF1E2\s*}?\s*(?P=q28)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q29>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8CE3BAE6-AB66-40b6-9019-41E5282FF1E2\s*}?\s*(?P=q29)(\s|>)[^>]*\s*id\s*=\s*(?P<m20>\x22|\x27|)(?P<id2>.+?)(?P=m20)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12409 WEB-ACTIVEX Intuit QuickBooks Online Edition 9 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|C|00|E|00|3|00|B|00|A|00|E|00|6|00|-|00|A|00|B|00|6|00|6|00|-|00|4|00|0|00|b|00|6|00|-|00|9|00|0|00|1|00|9|00|-|00|4|00|1|00|E|00|5|00|2|00|8|00|2|00|F|00|F|00|1|00|E|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q30>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12410 WEB-ACTIVEX Intuit QuickBooks Online Edition 9 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"40F8967E-34A6-474a-837A-CEC1E7DAC54C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*40F8967E-34A6-474a-837A-CEC1E7DAC54C\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(httpGETToFile|httpPOSTFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*40F8967E-34A6-474a-837A-CEC1E7DAC54C\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(httpGETToFile|httpPOSTFromFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12411 WEB-ACTIVEX Intuit QuickBooks Online Edition 10 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25544 attempted-user 2007-4471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|0|00|F|00|8|00|9|00|6|00|7|00|E|00|-|00|3|00|4|00|A|00|6|00|-|00|4|00|7|00|4|00|a|00|-|00|8|00|3|00|7|00|A|00|-|00|C|00|E|00|C|00|1|00|E|00|7|00|D|00|A|00|C|00|5|00|4|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12412 WEB-ACTIVEX Intuit QuickBooks Online Edition 10 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 25977 attempted-user 2007-5322 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EF28418F-FFB2-11D0-861A-00A0C903A97F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EF28418F-FFB2-11D0-861A-00A0C903A97F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(FoxDoCmd)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EF28418F-FFB2-11D0-861A-00A0C903A97F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(FoxDoCmd))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12417 WEB-ACTIVEX Microsoft Visual FoxPro ActiveX clsid access 25977 attempted-user 2007-5322 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|F|00|2|00|8|00|4|00|1|00|8|00|F|00|-|00|F|00|F|00|B|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|6|00|1|00|A|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|A|00|9|00|7|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12418 WEB-ACTIVEX Microsoft Visual FoxPro ActiveX clsid unicode access 25977 attempted-user 2007-5322 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"fpolectl.fpolectl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22fpolectl\.fpolectl\x22|\x27fpolectl\.fpolectl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FoxDoCmd\s*|.*(?P=v)\s*\.\s*FoxDoCmd\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22fpolectl\.fpolectl\x22|\x27fpolectl\.fpolectl\x27)\s*\)(\s*\.\s*FoxDoCmd\s*|.*(?P=n)\s*\.\s*FoxDoCmd\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12419 WEB-ACTIVEX Microsoft Visual FoxPro ActiveX function call access 25977 attempted-user 2007-5322 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|p|00|o|00|l|00|e|00|c|00|t|00|l|00|.|00|f|00|p|00|o|00|l|00|e|00|c|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00.\x00f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00.\x00f\x00p\x00o\x00l\x00e\x00c\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12420 WEB-ACTIVEX Microsoft Visual FoxPro ActiveX function call unicode access 25702 attempted-user 2007-4982 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3BB56637-651D-4D1D-AFA4-C0506F57EAF8"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q21>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BB56637-651D-4D1D-AFA4-C0506F57EAF8\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(SaveAsBMP|SaveAsWMF)|<object\s*[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BB56637-651D-4D1D-AFA4-C0506F57EAF8\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(SaveAsBMP|SaveAsWMF))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12466 WEB-ACTIVEX MW6 Technologies QRCode ActiveX clsid access 25702 attempted-user 2007-4982 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|B|00|B|00|5|00|6|00|6|00|3|00|7|00|-|00|6|00|5|00|1|00|D|00|-|00|4|00|D|00|1|00|D|00|-|00|A|00|F|00|A|00|4|00|-|00|C|00|0|00|5|00|0|00|6|00|F|00|5|00|7|00|E|00|A|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q23>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00B\x00B\x005\x006\x006\x003\x007\x00-\x006\x005\x001\x00D\x00-\x004\x00D\x001\x00D\x00-\x00A\x00F\x00A\x004\x00-\x00C\x000\x005\x000\x006\x00F\x005\x007\x00E\x00A\x00F\x008\x00(}\x00)?(?P=q23)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12467 WEB-ACTIVEX MW6 Technologies QRCode ActiveX clsid unicode access protocol-command-decode 2006-6723 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:2; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 12489 NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrWkstaGetInfo attempt 25697 attempted-user 2007-4916 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F3F381A3-4795-41FF-8190-7AA2A8102F85"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3F381A3-4795-41FF-8190-7AA2A8102F85\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(FindFile|ListFiles)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3F381A3-4795-41FF-8190-7AA2A8102F85\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(FindFile|ListFiles))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12612 WEB-ACTIVEX Microsoft Windows MFC Library ActiveX clsid access 25697 attempted-user 2007-4916 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|3|00|F|00|3|00|8|00|1|00|A|00|3|00|-|00|4|00|7|00|9|00|5|00|-|00|4|00|1|00|F|00|F|00|-|00|8|00|1|00|9|00|0|00|-|00|7|00|A|00|A|00|2|00|A|00|8|00|1|00|0|00|2|00|F|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x003\x00F\x003\x008\x001\x00A\x003\x00-\x004\x007\x009\x005\x00-\x004\x001\x00F\x00F\x00-\x008\x001\x009\x000\x00-\x007\x00A\x00A\x002\x00A\x008\x001\x000\x002\x00F\x008\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12613 WEB-ACTIVEX Microsoft Windows MFC Library ActiveX clsid unicode access 25697 attempted-user 2007-4916 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HpqUtil.System"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22HpqUtil\.System(\.\d)?\x22|\x27HpqUtil\.System(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(FindFile|ListFiles)\s*|.*(?P=v)\s*\.\s*(FindFile|ListFiles)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HpqUtil\.System(\.\d)?\x22|\x27HpqUtil\.System(\.\d)?\x27)\s*\)(\s*\.\s*(FindFile|ListFiles)\s*|.*(?P=n)\s*\.\s*(FindFile|ListFiles)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12614 WEB-ACTIVEX Microsoft Windows MFC Library ActiveX function call access 25697 attempted-user 2007-4916 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"H|00|p|00|q|00|U|00|t|00|i|00|l|00|.|00|S|00|y|00|s|00|t|00|e|00|m|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)H\x00p\x00q\x00U\x00t\x00i\x00l\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)H\x00p\x00q\x00U\x00t\x00i\x00l\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12615 WEB-ACTIVEX Microsoft Windows MFC Library ActiveX function call unicode access 25945 attempted-user 2007-3896 tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:to_client,established; content:"BEGIN|3A|VCARD"; fast_pattern:only; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 12664 MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-3896 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|22|.bat"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*\x25[^\n]*\x22\x2Ebat/i"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12687 WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-061.mspx 25945 attempted-user 2007-3896 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|22|.cmd"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*\x25[^\n]*\x22\x2Ecmd/i"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12688 WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-061.mspx 26573 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47F59200-8783-11D2-8343-00A0C945A819\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoInstall|QueryComponents)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47F59200-8783-11D2-8343-00A0C945A819\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoInstall|QueryComponents))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12751 WEB-ACTIVEX RichFX Basic Player ActiveX clsid access 26573 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12752 WEB-ACTIVEX RichFX Basic Player ActiveX clsid unicode access 26573 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RFXInstMgr.RFXInstMgr"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22RFXInstMgr\.RFXInstMgr\x22|\x27RFXInstMgr\.RFXInstMgr\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoInstall|QueryComponents)\s*|.*(?P=v)\s*\.\s*(DoInstall|QueryComponents)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RFXInstMgr\.RFXInstMgr\x22|\x27RFXInstMgr\.RFXInstMgr\x27)\s*\)(\s*\.\s*(DoInstall|QueryComponents)\s*|.*(?P=n)\s*\.\s*(DoInstall|QueryComponents)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12753 WEB-ACTIVEX RichFX Basic Player ActiveX function call access 26573 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"R|00|F|00|X|00|I|00|n|00|s|00|t|00|M|00|g|00|r|00|.|00|R|00|F|00|X|00|I|00|n|00|s|00|t|00|M|00|g|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00.\x00R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00.\x00R\x00F\x00X\x00I\x00n\x00s\x00t\x00M\x00g\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12754 WEB-ACTIVEX RichFX Basic Player ActiveX function call unicode access 26580 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"20C2C286-BDE8-441B-B73D-AFA22D914DA5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*20C2C286-BDE8-441B-B73D-AFA22D914DA5\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SetBkImage)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*20C2C286-BDE8-441B-B73D-AFA22D914DA5\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SetBkImage))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12755 WEB-ACTIVEX PPStream PowerList ActiveX clsid access 26580 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|0|00|C|00|2|00|C|00|2|00|8|00|6|00|-|00|B|00|D|00|E|00|8|00|-|00|4|00|4|00|1|00|B|00|-|00|B|00|7|00|3|00|D|00|-|00|A|00|F|00|A|00|2|00|2|00|D|00|9|00|1|00|4|00|D|00|A|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12756 WEB-ACTIVEX PPStream PowerList ActiveX clsid unicode access 26656 attempted-user 2007-6228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"02478D38-C3F9-4EFB-9B51-7695ECA05670"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02478D38-C3F9-4EFB-9B51-7695ECA05670\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(c)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*02478D38-C3F9-4EFB-9B51-7695ECA05670\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(c))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12762 WEB-ACTIVEX Yahoo Toolbar Helper Class ActiveX clsid access 26656 attempted-user 2007-6228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|2|00|4|00|7|00|8|00|D|00|3|00|8|00|-|00|C|00|3|00|F|00|9|00|-|00|4|00|E|00|F|00|B|00|-|00|9|00|B|00|5|00|1|00|-|00|7|00|6|00|9|00|5|00|E|00|C|00|A|00|0|00|5|00|6|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12763 WEB-ACTIVEX Yahoo Toolbar Helper Class ActiveX clsid unicode access 26656 attempted-user 2007-6228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"yt.ythelper"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22yt\.ythelper\x22|\x27yt\.ythelper\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*c\s*|.*(?P=v)\s*\.\s*c\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22yt\.ythelper\x22|\x27yt\.ythelper\x27)\s*\)(\s*\.\s*c\s*|.*(?P=n)\s*\.\s*c\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12764 WEB-ACTIVEX Yahoo Toolbar Helper Class ActiveX function call access 26656 attempted-user 2007-6228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"y|00|t|00|.|00|y|00|t|00|h|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)y\x00t\x00.\x00y\x00t\x00h\x00e\x00l\x00p\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)y\x00t\x00.\x00y\x00t\x00h\x00e\x00l\x00p\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12765 WEB-ACTIVEX Yahoo Toolbar Helper Class ActiveX function call unicode access 17462 attempted-user 2006-0003 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00C04FC29E36|7C|983A|7C|11D0|7C|65A3|7C 7C|BD96C556|7C 7C|clsid"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 12770 SPECIFIC-THREATS obfuscated RDS.Dataspace ActiveX exploit attempt www.microsoft.com/technet/security/bulletin/MS06-014.mspx 25601 attempted-user 2007-4816 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"storm.setAttribute|28 22|classid|22|,|22|clsid|3A|6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB|22 29|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 12771 SPECIFIC-THREATS obfuscated BaoFeng Storm MPS.dll ActiveX exploit attempt 25502 attempted-user 2007-4748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"pps.setAttribute|28 22|classid|22|,|22|clsid|3A|5EC7C511-CD0F-42E6-830C-1BD9882F3458|22 29|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 12772 SPECIFIC-THREATS obfuscated PPStream PowerPlayer ActiveX exploit attempt 26536 attempted-user 2007-6144 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<object id=|22|gl|22| classid=|22|clsid|3A|F3E70CEA-956E-49CC-B444-73AFE593AD7F|22|>"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 12773 SPECIFIC-THREATS obfuscated Xunlei Thunder PPLAYER.DLL ActiveX exploit attempt 26244 attempted-user 2007-5722 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<object classid=|22|clsid|3A|AE93C5DF-A990-11D1-AEBD-5254ABDD2B69|22|"; nocase; content:"LoveVChenzi"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 12774 SPECIFIC-THREATS obfuscated GlobalLink ConnectAndEnterRoom ActiveX exploit attempt 26675 attempted-user 2007-6262 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E23FE9C6-778E-49D4-B537-38FCDE4887D8"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E23FE9C6-778E-49D4-B537-38FCDE4887D8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(addTarget|getVariable|setVariable)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E23FE9C6-778E-49D4-B537-38FCDE4887D8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(addTarget|getVariable|setVariable))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12803 WEB-ACTIVEX VideoLAN VLC ActiveX clsid access www.videolan.org/sa0703.html 26675 attempted-user 2007-6262 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|2|00|3|00|F|00|E|00|9|00|C|00|6|00|-|00|7|00|7|00|8|00|E|00|-|00|4|00|9|00|D|00|4|00|-|00|B|00|5|00|3|00|7|00|-|00|3|00|8|00|F|00|C|00|D|00|E|00|4|00|8|00|8|00|7|00|D|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12804 WEB-ACTIVEX VideoLAN VLC ActiveX clsid unicode access www.videolan.org/sa0703.html 26675 attempted-user 2007-6262 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VideoLAN.VLCPlugin"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VideoLAN\.VLCPlugin\x22|\x27VideoLAN\.VLCPlugin\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(addTarget|getVariable|setVariable)\s*|.*(?P=v)\s*\.\s*(addTarget|getVariable|setVariable)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VideoLAN\.VLCPlugin\x22|\x27VideoLAN\.VLCPlugin\x27)\s*\)(\s*\.\s*(addTarget|getVariable|setVariable)\s*|.*(?P=n)\s*\.\s*(addTarget|getVariable|setVariable)\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12805 WEB-ACTIVEX VideoLAN VLC ActiveX function call access www.videolan.org/sa0703.html 26675 attempted-user 2007-6262 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|d|00|e|00|o|00|L|00|A|00|N|00|.|00|V|00|L|00|C|00|P|00|l|00|u|00|g|00|i|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00d\x00e\x00o\x00L\x00A\x00N\x00.\x00V\x00L\x00C\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00i\x00d\x00e\x00o\x00L\x00A\x00N\x00.\x00V\x00L\x00C\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12806 WEB-ACTIVEX VideoLAN VLC ActiveX function call unicode access www.videolan.org/sa0703.html 21220 attempted-admin 2006-5854 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:1; dce_stub_data; byte_test:4,>,458,4,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 12808 NETBIOS DCERPC NCACN-IP-TCP spoolss OpenPrinter overflow attempt 26015 protocol-command-decode 2007-5329 tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:4; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12910 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt 26015 protocol-command-decode 2007-5329 tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:12; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12916 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt 26015 protocol-command-decode 2007-5329 tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:16; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12922 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt 26015 protocol-command-decode 2007-5329 tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:18; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12928 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt 26015 protocol-command-decode 2007-5329 tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:19; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 12934 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt attempted-admin 2007-5351 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; byte_test:1,>,0xFD,4; content:"SMBr"; depth:4; offset:5; content:"|02|SMB 2.001|00|"; offset:36; metadata:policy security-ips alert, service netbios-dgm; classtype:attempted-admin; 12946 NETBIOS SMB-DS SMBv2 protocol negotiation attempt www.microsoft.com/technet/security/bulletin/MS07-063.mspx attempted-admin 2007-5351 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; byte_test:1,>,0xFD,4; content:"SMBr"; depth:4; offset:5; content:"|02|SMB 2.001|00|"; offset:36; metadata:policy security-ips alert, service netbios-ssn; classtype:attempted-admin; 12947 NETBIOS SMB SMBv2 protocol negotiation attempt www.microsoft.com/technet/security/bulletin/MS07-063.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c1908682-7b2c-4ab0-b98e-183649a0bf84"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*c1908682-7b2c-4ab0-b98e-183649a0bf84\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12948 WEB-ACTIVEX Vantage Linguistics 1 ActiveX clsid access www.vantagelinguistics.com/answerworks/release/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c|00|1|00|9|00|0|00|8|00|6|00|8|00|2|00|-|00|7|00|b|00|2|00|c|00|-|00|4|00|a|00|b|00|0|00|-|00|b|00|9|00|8|00|e|00|-|00|1|00|8|00|3|00|6|00|4|00|9|00|a|00|0|00|b|00|f|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12949 WEB-ACTIVEX Vantage Linguistics 1 ActiveX clsid unicode access www.vantagelinguistics.com/answerworks/release/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0f6a72b9-d3c5-4fce-89a3-4e3d19c3580a"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0f6a72b9-d3c5-4fce-89a3-4e3d19c3580a\s*}?\s*(?P=q3)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12950 WEB-ACTIVEX Vantage Linguistics 2 ActiveX clsid access www.vantagelinguistics.com/answerworks/release/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|f|00|6|00|a|00|7|00|2|00|b|00|9|00|-|00|d|00|3|00|c|00|5|00|-|00|4|00|f|00|c|00|e|00|-|00|8|00|9|00|a|00|3|00|-|00|4|00|e|00|3|00|d|00|1|00|9|00|c|00|3|00|5|00|8|00|0|00|a|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q4>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12951 WEB-ACTIVEX Vantage Linguistics 2 ActiveX clsid unicode access www.vantagelinguistics.com/answerworks/release/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"66b4546f-c263-11d1-b1c9-444553540000"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66b4546f-c263-11d1-b1c9-444553540000\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12952 WEB-ACTIVEX Vantage Linguistics 3 ActiveX clsid access www.vantagelinguistics.com/answerworks/release/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|6|00|b|00|4|00|5|00|4|00|6|00|f|00|-|00|c|00|2|00|6|00|3|00|-|00|1|00|1|00|d|00|1|00|-|00|b|00|1|00|c|00|9|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12953 WEB-ACTIVEX Vantage Linguistics 3 ActiveX clsid unicode access www.vantagelinguistics.com/answerworks/release/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"201ea564-a6f6-11d1-811d-00c04fb6db36"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*201ea564-a6f6-11d1-811d-00c04fb6db36\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12954 WEB-ACTIVEX DXLTPI.DLL ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|0|00|1|00|e|00|a|00|5|00|6|00|4|00|-|00|a|00|6|00|f|00|6|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|1|00|1|00|d|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|b|00|6|00|d|00|b|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12955 WEB-ACTIVEX DXLTPI.DLL ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-069.mspx 11367 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|5|00|D|00|4|00|1|00|9|00|D|00|6|00|-|00|A|00|8|00|4|00|6|00|-|00|4|00|5|00|1|00|4|00|-|00|9|00|F|00|A|00|D|00|-|00|9|00|7|00|E|00|8|00|2|00|6|00|C|00|8|00|4|00|8|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12956 WEB-ACTIVEX MSN Heartbeat ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8c63daba-cba8-4b5d-a0f7-ae00f2920929"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8c63daba-cba8-4b5d-a0f7-ae00f2920929\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12957 WEB-ACTIVEX MSN Heartbeat 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|c|00|6|00|3|00|d|00|a|00|b|00|a|00|-|00|c|00|b|00|a|00|8|00|-|00|4|00|b|00|5|00|d|00|-|00|a|00|0|00|f|00|7|00|-|00|a|00|e|00|0|00|0|00|f|00|2|00|9|00|2|00|0|00|9|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12958 WEB-ACTIVEX MSN Heartbeat 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ae1c01e3-0283-11d3-9b3f-00c04f8ef466"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ae1c01e3-0283-11d3-9b3f-00c04f8ef466\s*}?\s*(?P=q3)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12959 WEB-ACTIVEX MSN Heartbeat 3 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"a|00|e|00|1|00|c|00|0|00|1|00|e|00|3|00|-|00|0|00|2|00|8|00|3|00|-|00|1|00|1|00|d|00|3|00|-|00|9|00|b|00|3|00|f|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|8|00|e|00|f|00|4|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q4>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12960 WEB-ACTIVEX MSN Heartbeat 3 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AD5FBDB8-C518-47F7-B4F1-F1F58D21A716"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD5FBDB8-C518-47F7-B4F1-F1F58D21A716\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12961 WEB-ACTIVEX Intuit QuickBooks Online Import 1 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|D|00|5|00|F|00|B|00|D|00|B|00|8|00|-|00|C|00|5|00|1|00|8|00|-|00|4|00|7|00|F|00|7|00|-|00|B|00|4|00|F|00|1|00|-|00|F|00|1|00|F|00|5|00|8|00|D|00|2|00|1|00|A|00|7|00|1|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12962 WEB-ACTIVEX Intuit QuickBooks Online Import 1 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"121E91E7-E915-4aa6-89F3-BA62D10A4C49"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*121E91E7-E915-4aa6-89F3-BA62D10A4C49\s*}?\s*(?P=q3)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12963 WEB-ACTIVEX Intuit QuickBooks Online Import 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|2|00|1|00|E|00|9|00|1|00|E|00|7|00|-|00|E|00|9|00|1|00|5|00|-|00|4|00|a|00|a|00|6|00|-|00|8|00|9|00|F|00|3|00|-|00|B|00|A|00|6|00|2|00|D|00|1|00|0|00|A|00|4|00|C|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q4>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12964 WEB-ACTIVEX Intuit QuickBooks Online Import 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C3C9CB67-F453-479a-9AB0-94AE65F2EB2F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3C9CB67-F453-479a-9AB0-94AE65F2EB2F\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12965 WEB-ACTIVEX Intuit QuickBooks Online Import 3 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|3|00|C|00|9|00|C|00|B|00|6|00|7|00|-|00|F|00|4|00|5|00|3|00|-|00|4|00|7|00|9|00|a|00|-|00|9|00|A|00|B|00|0|00|-|00|9|00|4|00|A|00|E|00|6|00|5|00|F|00|2|00|E|00|B|00|2|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12966 WEB-ACTIVEX Intuit QuickBooks Online Import 3 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AF54BFA2-474E-4b82-A5F3-B79E6F7A80B1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF54BFA2-474E-4b82-A5F3-B79E6F7A80B1\s*}?\s*(?P=q7)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12967 WEB-ACTIVEX Intuit QuickBooks Online Import 4 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|5|00|4|00|B|00|F|00|A|00|2|00|-|00|4|00|7|00|4|00|E|00|-|00|4|00|b|00|8|00|2|00|-|00|A|00|5|00|F|00|3|00|-|00|B|00|7|00|9|00|E|00|6|00|F|00|7|00|A|00|8|00|0|00|B|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12968 WEB-ACTIVEX Intuit QuickBooks Online Import 4 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"823AA622-D72B-42d4-905D-FDD9FC9600FC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*823AA622-D72B-42d4-905D-FDD9FC9600FC\s*}?\s*(?P=q9)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12969 WEB-ACTIVEX Intuit QuickBooks Online Import 5 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|2|00|3|00|A|00|A|00|6|00|2|00|2|00|-|00|D|00|7|00|2|00|B|00|-|00|4|00|2|00|d|00|4|00|-|00|9|00|0|00|5|00|D|00|-|00|F|00|D|00|D|00|9|00|F|00|C|00|9|00|6|00|0|00|0|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q10>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12970 WEB-ACTIVEX Intuit QuickBooks Online Import 5 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-069.mspx attempted-user 2007-3895 tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:established,to_client; content:"RIFF"; pcre:"/(idx1|movi|str[ndfhl]|avih|hdr1|LIST|JUNK)/"; byte_test:4,>,4294967286,0,little,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 12971 EXPLOIT microsoft directshow wav file overflow attempt www.microsoft.com/technet/security/bulletin/MS07-064.mspx attempted-user 2007-0064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|01 CD 87 F4|Q|A9 CF 11 8E E6 00 C0 0C| Se"; content:" |DB FE|L|F6|u|CF 11 9C 0F 00 A0 C9 03|I|CB|"; within:16; distance:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 12972 WEB-CLIENT Microsoft Media Player .asf markers detected www.microsoft.com/technet/security/Bulletin/MS07-068.mspx attempted-user 2007-0064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"35907DE0-E415-11CF-A917-00805F5C442B"; byte_test:2, >, 65476, 52, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13158 WEB_CLIENT Microsoft Media Player asf streaming format interchange data integer overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-068.mspx attempted-user 2007-0064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"49F1A440-4ECE-11d0-A3AC-00A0C90348F6"; byte_jump:4, 8, relative; byte_test:2, >, 65527, 14, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13159 WEB_CLIENT Microsoft Media Player asf streaming format audio error masking integer overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-068.mspx 21220 attempted-admin 2006-6114 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 13162 NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt 26950 attempted-user 2007-6506 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7CB9D4F5-C492-42A4-93B1-3F7D6946470D"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7CB9D4F5-C492-42A4-93B1-3F7D6946470D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile|LoadFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7CB9D4F5-C492-42A4-93B1-3F7D6946470D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveToFile|LoadFromFile))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13219 WEB-ACTIVEX HP Software Update RulesEngine.dll ActiveX clsid access 26950 attempted-user 2007-6506 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|C|00|B|00|9|00|D|00|4|00|F|00|5|00|-|00|C|00|4|00|9|00|2|00|-|00|4|00|2|00|A|00|4|00|-|00|9|00|3|00|B|00|1|00|-|00|3|00|F|00|7|00|D|00|6|00|9|00|4|00|6|00|4|00|7|00|0|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00C\x00B\x009\x00D\x004\x00F\x005\x00-\x00C\x004\x009\x002\x00-\x004\x002\x00A\x004\x00-\x009\x003\x00B\x001\x00-\x003\x00F\x007\x00D\x006\x009\x004\x006\x004\x007\x000\x00D\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13220 WEB-ACTIVEX HP Software Update RulesEngine.dll ActiveX clsid unicode access 26956 attempted-user 2007-6535 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"67CE97C5-ABE6-429A-B6BD-3BD1333A0825"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67CE97C5-ABE6-429A-B6BD-3BD1333A0825\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(IsTaggedBM)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67CE97C5-ABE6-429A-B6BD-3BD1333A0825\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(IsTaggedBM))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13224 WEB-ACTIVEX Yahoo Toolbar YShortcut ActiveX clsid access 26956 attempted-user 2007-6535 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|C|00|E|00|9|00|7|00|C|00|5|00|-|00|A|00|B|00|E|00|6|00|-|00|4|00|2|00|9|00|A|00|-|00|B|00|6|00|B|00|D|00|-|00|3|00|B|00|D|00|1|00|3|00|3|00|3|00|A|00|0|00|8|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13225 WEB-ACTIVEX Yahoo Toolbar YShortcut ActiveX clsid unicode access 26956 attempted-user 2007-6535 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YShortcut_DLL.Shortcut"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YShortcut_DLL\.Shortcut\x22|\x27YShortcut_DLL\.Shortcut\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*IsTaggedBM\s*|.*(?P=v)\s*\.\s*IsTaggedBM\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YShortcut_DLL\.Shortcut\x22|\x27YShortcut_DLL\.Shortcut\x27)\s*\)(\s*\.\s*IsTaggedBM\s*|.*(?P=n)\s*\.\s*IsTaggedBM\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13226 WEB-ACTIVEX Yahoo Toolbar YShortcut ActiveX function call access 26956 attempted-user 2007-6535 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|S|00|h|00|o|00|r|00|t|00|c|00|u|00|t|00|_|00|D|00|L|00|L|00|.|00|S|00|h|00|o|00|r|00|t|00|c|00|u|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)Y\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00_\x00D\x00L\x00L\x00.\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)Y\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00_\x00D\x00L\x00L\x00.\x00S\x00h\x00o\x00r\x00t\x00c\x00u\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13227 WEB-ACTIVEX Yahoo Toolbar YShortcut ActiveX function call unicode access 25375 rpc-portmap-decode 2007-3618 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13250 RPC portmap 390113 tcp request 25375 rpc-portmap-decode 2007-3618 udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13251 RPC portmap 390113 udp request 25375 rpc-portmap-decode 2007-3618 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 05 F3 E1|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13252 RPC portmap 390113 tcp procedure 4 attempt 25375 rpc-portmap-decode 2007-3618 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 05 F3 E1|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13253 RPC portmap 390113 udp procedure 4 attempt 25375 rpc-portmap-decode 2007-3618 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13254 RPC portmap 390113 tcp request 25375 rpc-portmap-decode 2007-3618 udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13255 RPC portmap 390113 udp request 25375 rpc-portmap-decode 2007-3618 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 05 F3 E1|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13256 RPC portmap 390113 tcp procedure 5 attempt 25375 rpc-portmap-decode 2007-3618 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 05 F3 E1|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 13257 RPC portmap 390113 udp procedure 5 attempt 27059 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F84E0B64-1E86-4640-8094-5B38CEB28C1E"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F84E0B64-1E86-4640-8094-5B38CEB28C1E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F84E0B64-1E86-4640-8094-5B38CEB28C1E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(start))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13266 WEB-ACTIVEX SkyFex Client ActiveX clsid access 27059 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|8|00|4|00|E|00|0|00|B|00|6|00|4|00|-|00|1|00|E|00|8|00|6|00|-|00|4|00|6|00|4|00|0|00|-|00|8|00|0|00|9|00|4|00|-|00|5|00|B|00|3|00|8|00|C|00|E|00|B|00|2|00|8|00|C|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13267 WEB-ACTIVEX SkyFex Client ActiveX clsid unicode access 27106 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D050D736-2D21-4723-AD58-5B541FFB6C11"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D050D736-2D21-4723-AD58-5B541FFB6C11\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetPassword)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D050D736-2D21-4723-AD58-5B541FFB6C11\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetPassword))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13273 WEB-ACTIVEX DivX Web Player ActiveX clsid access 27106 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|0|00|5|00|0|00|D|00|7|00|3|00|6|00|-|00|2|00|D|00|2|00|1|00|-|00|4|00|7|00|2|00|3|00|-|00|A|00|D|00|5|00|8|00|-|00|5|00|B|00|5|00|4|00|1|00|F|00|F|00|B|00|6|00|C|00|1|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13274 WEB-ACTIVEX DivX Web Player ActiveX clsid unicode access 27106 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"npUpload.DivXContentUploadPlugin"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22npUpload\.DivXContentUploadPlugin\x22|\x27npUpload\.DivXContentUploadPlugin\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetPassword\s*|.*(?P=v)\s*\.\s*SetPassword\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22npUpload\.DivXContentUploadPlugin\x22|\x27npUpload\.DivXContentUploadPlugin\x27)\s*\)(\s*\.\s*SetPassword\s*|.*(?P=n)\s*\.\s*SetPassword\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13275 WEB-ACTIVEX DivX Web Player ActiveX function call access 27106 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"n|00|p|00|U|00|p|00|l|00|o|00|a|00|d|00|.|00|D|00|i|00|v|00|X|00|C|00|o|00|n|00|t|00|e|00|n|00|t|00|U|00|p|00|l|00|o|00|a|00|d|00|P|00|l|00|u|00|g|00|i|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)n\x00p\x00U\x00p\x00l\x00o\x00a\x00d\x00.\x00D\x00i\x00v\x00X\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00U\x00p\x00l\x00o\x00a\x00d\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)n\x00p\x00U\x00p\x00l\x00o\x00a\x00d\x00.\x00D\x00i\x00v\x00X\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00U\x00p\x00l\x00o\x00a\x00d\x00P\x00l\x00u\x00g\x00i\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13276 WEB-ACTIVEX DivX Web Player ActiveX function call unicode access 27193 attempted-user 2008-0220 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"93CEA8A4-6059-4E0B-ADDD-73848153DD5E"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93CEA8A4-6059-4E0B-ADDD-73848153DD5E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoWebLaunch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93CEA8A4-6059-4E0B-ADDD-73848153DD5E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoWebLaunch))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13289 WEB-ACTIVEX Gatway CWebLaunchCtl ActiveX clsid access www.kb.cert.org/vuls/id/735441 27193 attempted-user 2008-0220 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|3|00|C|00|E|00|A|00|8|00|A|00|4|00|-|00|6|00|0|00|5|00|9|00|-|00|4|00|E|00|0|00|B|00|-|00|A|00|D|00|D|00|D|00|-|00|7|00|3|00|8|00|4|00|8|00|1|00|5|00|3|00|D|00|D|00|5|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13290 WEB-ACTIVEX Gatway CWebLaunchCtl ActiveX clsid unicode access www.kb.cert.org/vuls/id/735441 27201 attempted-user 2008-0237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B617B991-A767-4F05-99BA-AC6FCABB102E"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B617B991-A767-4F05-99BA-AC6FCABB102E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B617B991-A767-4F05-99BA-AC6FCABB102E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveFile))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13294 WEB-ACTIVEX Microsoft Rich TextBox ActiveX clsid access 27201 attempted-user 2008-0237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|6|00|1|00|7|00|B|00|9|00|9|00|1|00|-|00|A|00|7|00|6|00|7|00|-|00|4|00|F|00|0|00|5|00|-|00|9|00|9|00|B|00|A|00|-|00|A|00|C|00|6|00|F|00|C|00|A|00|B|00|B|00|1|00|0|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13295 WEB-ACTIVEX Microsoft Rich TextBox ActiveX clsid unicode access 27201 attempted-user 2008-0237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3B7C8860-D78F-101B-B9B5-04021C009402"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B7C8860-D78F-101B-B9B5-04021C009402\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(SaveFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B7C8860-D78F-101B-B9B5-04021C009402\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveFile))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13296 WEB-ACTIVEX Microsoft Rich TextBox ActiveX clsid access 27201 attempted-user 2008-0237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|B|00|7|00|C|00|8|00|8|00|6|00|0|00|-|00|D|00|7|00|8|00|F|00|-|00|1|00|0|00|1|00|B|00|-|00|B|00|9|00|B|00|5|00|-|00|0|00|4|00|0|00|2|00|1|00|C|00|0|00|0|00|9|00|4|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13297 WEB-ACTIVEX Microsoft Rich TextBox ActiveX clsid unicode access 27201 attempted-user 2008-0237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RICHTEXT.RichTextCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22RICHTEXT\.RichTextCtrl\x22|\x27RICHTEXT\.RichTextCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveFile\s*|.*(?P=v)\s*\.\s*SaveFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RICHTEXT\.RichTextCtrl\x22|\x27RICHTEXT\.RichTextCtrl\x27)\s*\)(\s*\.\s*SaveFile\s*|.*(?P=n)\s*\.\s*SaveFile\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13298 WEB-ACTIVEX Microsoft Rich TextBox ActiveX function call access 27201 attempted-user 2008-0237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"R|00|I|00|C|00|H|00|T|00|E|00|X|00|T|00|.|00|R|00|i|00|c|00|h|00|T|00|e|00|x|00|t|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q7>\x22|\x27|)R\x00I\x00C\x00H\x00T\x00E\x00X\x00T\x00.\x00R\x00i\x00c\x00h\x00T\x00e\x00x\x00t\x00C\x00t\x00r\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q8>\x22|\x27|)R\x00I\x00C\x00H\x00T\x00E\x00X\x00T\x00.\x00R\x00i\x00c\x00h\x00T\x00e\x00x\x00t\x00C\x00t\x00r\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13299 WEB-ACTIVEX Microsoft Rich TextBox ActiveX function call unicode access 27205 attempted-user 2008-0236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"008B6010-1F3D-11D1-B0C8-00A0C9055D74"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*008B6010-1F3D-11D1-B0C8-00A0C9055D74\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoCmd)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*008B6010-1F3D-11D1-B0C8-00A0C9055D74\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoCmd))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13303 WEB-ACTIVEX Microsoft Visual FoxPro 2 ActiveX clsid access 27205 attempted-user 2008-0236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|8|00|B|00|6|00|0|00|1|00|0|00|-|00|1|00|F|00|3|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|0|00|C|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|5|00|D|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13304 WEB-ACTIVEX Microsoft Visual FoxPro 2 ActiveX clsid unicode access 27205 attempted-user 2008-0236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VisualFoxpro.Application"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VisualFoxpro\.Application\x22|\x27VisualFoxpro\.Application\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DoCmd\s*|.*(?P=v)\s*\.\s*DoCmd\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VisualFoxpro\.Application\x22|\x27VisualFoxpro\.Application\x27)\s*\)(\s*\.\s*DoCmd\s*|.*(?P=n)\s*\.\s*DoCmd\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13305 WEB-ACTIVEX Microsoft Visual FoxPro 2 ActiveX function call access 27205 attempted-user 2008-0236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|s|00|u|00|a|00|l|00|F|00|o|00|x|00|p|00|r|00|o|00|.|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00s\x00u\x00a\x00l\x00F\x00o\x00x\x00p\x00r\x00o\x00.\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00i\x00s\x00u\x00a\x00l\x00F\x00o\x00x\x00p\x00r\x00o\x00.\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13306 WEB-ACTIVEX Microsoft Visual FoxPro 2 ActiveX function call unicode access 27247 attempted-user 2008-0248 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2253F320-AB68-4A07-917D-4F12D8884A06"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2253F320-AB68-4A07-917D-4F12D8884A06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InternalTuneIn)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2253F320-AB68-4A07-917D-4F12D8884A06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(InternalTuneIn))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13312 WEB-ACTIVEX StreamAudio ProxyManager ActiveX clsid access 27247 attempted-user 2008-0248 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|5|00|3|00|F|00|3|00|2|00|0|00|-|00|A|00|B|00|6|00|8|00|-|00|4|00|A|00|0|00|7|00|-|00|9|00|1|00|7|00|D|00|-|00|4|00|F|00|1|00|2|00|D|00|8|00|8|00|8|00|4|00|A|00|0|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13313 WEB-ACTIVEX StreamAudio ProxyManager ActiveX clsid unicode access 27247 attempted-user 2008-0248 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Ccpm.ProxyManager"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Ccpm\.ProxyManager\x22|\x27Ccpm\.ProxyManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InternalTuneIn\s*|.*(?P=v)\s*\.\s*InternalTuneIn\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Ccpm\.ProxyManager\x22|\x27Ccpm\.ProxyManager\x27)\s*\)(\s*\.\s*InternalTuneIn\s*|.*(?P=n)\s*\.\s*InternalTuneIn\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13314 WEB-ACTIVEX StreamAudio ProxyManager ActiveX function call access 27247 attempted-user 2008-0248 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|c|00|p|00|m|00|.|00|P|00|r|00|o|00|x|00|y|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)C\x00c\x00p\x00m\x00.\x00P\x00r\x00o\x00x\x00y\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)C\x00c\x00p\x00m\x00.\x00P\x00r\x00o\x00x\x00y\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13315 WEB-ACTIVEX StreamAudio ProxyManager ActiveX function call unicode access 25295 attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0DDF3BD2-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3BD2-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13321 WEB-ACTIVEX Microsoft Package and Deployment Wizard ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-045.mspx 25295 attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|D|00|D|00|F|00|3|00|B|00|D|00|2|00|-|00|E|00|6|00|9|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|B|00|0|00|6|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13322 WEB-ACTIVEX Microsoft Package and Deployment Wizard ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-045.mspx 25295 attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PDWizard.SetupPkgPanels"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PDWizard\.SetupPkgPanels\x22|\x27PDWizard\.SetupPkgPanels\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.SetupPkgPanels\x22|\x27PDWizard\.SetupPkgPanels\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13323 WEB-ACTIVEX Microsoft Package and Deployment Wizard ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-045.mspx 25295 attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|D|00|W|00|i|00|z|00|a|00|r|00|d|00|.|00|S|00|e|00|t|00|u|00|p|00|P|00|k|00|g|00|P|00|a|00|n|00|e|00|l|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00S\x00e\x00t\x00u\x00p\x00P\x00k\x00g\x00P\x00a\x00n\x00e\x00l\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00S\x00e\x00t\x00u\x00p\x00P\x00k\x00g\x00P\x00a\x00n\x00e\x00l\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13324 WEB-ACTIVEX Microsoft Package and Deployment Wizard ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS07-045.mspx 27360 attempted-user 2008-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AD315309-EA00-45AE-9E8E-B6A61CE6B974"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD315309-EA00-45AE-9E8E-B6A61CE6B974\s*}?\s*(?P=q10)(\s|>).*(?P=id1)\s*\.\s*(SetPort|SetIPAddress)|<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD315309-EA00-45AE-9E8E-B6A61CE6B974\s*}?\s*(?P=q11)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SetPort|SetIPAddress))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13329 WEB-ACTIVEX Toshiba Surveillance Surveillix DVR ActiveX clsid access 27360 attempted-user 2008-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|D|00|3|00|1|00|5|00|3|00|0|00|9|00|-|00|E|00|A|00|0|00|0|00|-|00|4|00|5|00|A|00|E|00|-|00|9|00|E|00|8|00|E|00|-|00|B|00|6|00|A|00|6|00|1|00|C|00|E|00|6|00|B|00|9|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q12>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13330 WEB-ACTIVEX Toshiba Surveillance Surveillix DVR ActiveX clsid unicode access 27360 attempted-user 2008-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RecordSend"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22RecordSend\x22|\x27RecordSend\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetPort|SetIPAddress)\s*|.*(?P=v)\s*\.\s*(SetPort|SetIPAddress)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RecordSend\x22|\x27RecordSend\x27)\s*\)(\s*\.\s*(SetPort|SetIPAddress)\s*|.*(?P=n)\s*\.\s*(SetPort|SetIPAddress)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13331 WEB-ACTIVEX Toshiba Surveillance Surveillix DVR ActiveX function call access 27360 attempted-user 2008-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"R|00|e|00|c|00|o|00|r|00|d|00|S|00|e|00|n|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q13>\x22|\x27|)R\x00e\x00c\x00o\x00r\x00d\x00S\x00e\x00n\x00d\x00(?P=q13)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q14>\x22|\x27|)R\x00e\x00c\x00o\x00r\x00d\x00S\x00e\x00n\x00d\x00(?P=q14)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13332 WEB-ACTIVEX Toshiba Surveillance Surveillix DVR ActiveX function call unicode access 27384 attempted-user 2008-0437 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00000014-9593-4264-8B29-930B3E4EDCCD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000014-9593-4264-8B29-930B3E4EDCCD\s*}?\s*(?P=q15)(\s|>).*(?P=id1)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)|<object\s*[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000014-9593-4264-8B29-930B3E4EDCCD\s*}?\s*(?P=q16)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot))\s*=/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13333 WEB-ACTIVEX HP Virtual Rooms ActiveX clsid access 27384 attempted-user 2008-0437 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|0|00|1|00|4|00|-|00|9|00|5|00|9|00|3|00|-|00|4|00|2|00|6|00|4|00|-|00|8|00|B|00|2|00|9|00|-|00|9|00|3|00|0|00|B|00|3|00|E|00|4|00|E|00|D|00|C|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q17>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q17)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13334 WEB-ACTIVEX HP Virtual Rooms ActiveX clsid unicode access 27411 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C36112BF-2FA3-4694-8603-3B510EA3B465"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q18>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C36112BF-2FA3-4694-8603-3B510EA3B465\s*}?\s*(?P=q18)(\s|>).*(?P=id1)\s*\.\s*(HandwriterFilename)|<object\s*[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C36112BF-2FA3-4694-8603-3B510EA3B465\s*}?\s*(?P=q19)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(HandwriterFilename))\s*=/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13335 WEB-ACTIVEX Lycos File Upload Component ActiveX clsid access 27411 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|3|00|6|00|1|00|1|00|2|00|B|00|F|00|-|00|2|00|F|00|A|00|3|00|-|00|4|00|6|00|9|00|4|00|-|00|8|00|6|00|0|00|3|00|-|00|3|00|B|00|5|00|1|00|0|00|E|00|A|00|3|00|B|00|4|00|6|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q20>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q20)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13336 WEB-ACTIVEX Lycos File Upload Component ActiveX clsid unicode access 27424 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"309F674D-E4D3-46BD-B9E2-ED7DFD7FD176"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q21>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*309F674D-E4D3-46BD-B9E2-ED7DFD7FD176\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(ExecuteStr)|<object\s*[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*309F674D-E4D3-46BD-B9E2-ED7DFD7FD176\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(ExecuteStr))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13337 WEB-ACTIVEX Comodo AntiVirus ActiveX clsid access 27424 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|0|00|9|00|F|00|6|00|7|00|4|00|D|00|-|00|E|00|4|00|D|00|3|00|-|00|4|00|6|00|B|00|D|00|-|00|B|00|9|00|E|00|2|00|-|00|E|00|D|00|7|00|D|00|F|00|D|00|7|00|F|00|D|00|1|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q23>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q23)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13338 WEB-ACTIVEX Comodo AntiVirus ActiveX clsid unicode access 27438 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6054D082-355D-4B47-B77C-36A778899F48"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6054D082-355D-4B47-B77C-36A778899F48\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Upgrade)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6054D082-355D-4B47-B77C-36A778899F48\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Upgrade))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13348 WEB-ACTIVEX Move Networks Media Player ActiveX clsid access 27438 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|0|00|5|00|4|00|D|00|0|00|8|00|2|00|-|00|3|00|5|00|5|00|D|00|-|00|4|00|B|00|4|00|7|00|-|00|B|00|7|00|7|00|C|00|-|00|3|00|6|00|A|00|7|00|7|00|8|00|8|00|9|00|9|00|F|00|4|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13349 WEB-ACTIVEX Move Networks Media Player ActiveX clsid unicode access 27438 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"QSP2IE.QSP2IE"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22QSP2IE\.QSP2IE\x22|\x27QSP2IE\.QSP2IE\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Upgrade\s*|.*(?P=v)\s*\.\s*Upgrade\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22QSP2IE\.QSP2IE\x22|\x27QSP2IE\.QSP2IE\x27)\s*\)(\s*\.\s*Upgrade\s*|.*(?P=n)\s*\.\s*Upgrade\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13350 WEB-ACTIVEX Move Networks Media Player ActiveX function call access 27438 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Q|00|S|00|P|00|2|00|I|00|E|00|.|00|Q|00|S|00|P|00|2|00|I|00|E|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)Q\x00S\x00P\x002\x00I\x00E\x00.\x00Q\x00S\x00P\x002\x00I\x00E\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)Q\x00S\x00P\x002\x00I\x00E\x00.\x00Q\x00S\x00P\x002\x00I\x00E\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13351 WEB-ACTIVEX Move Networks Media Player ActiveX function call unicode access 27411 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FileUploader.FUploadCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22FileUploader\.FUploadCtl\x22|\x27FileUploader\.FUploadCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*HandwriterFilename\s*|.*(?P=v)\s*\.\s*HandwriterFilename\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FileUploader\.FUploadCtl\x22|\x27FileUploader\.FUploadCtl\x27)\s*\)(\s*\.\s*HandwriterFilename\s*|.*(?P=n)\s*\.\s*HandwriterFilename)\s*=/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13352 WEB-ACTIVEX Lycos File Upload Component ActiveX function call access 27411 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|i|00|l|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|.|00|F|00|U|00|p|00|l|00|o|00|a|00|d|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00.\x00F\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)F\x00i\x00l\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00.\x00F\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13353 WEB-ACTIVEX Lycos File Upload Component ActiveX function call unicode access 27384 attempted-user 2008-0437 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WebHPVCInstall.HPVirtualRooms14"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebHPVCInstall\.HPVirtualRooms14\x22|\x27WebHPVCInstall\.HPVirtualRooms14\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)\s*|.*(?P=v)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebHPVCInstall\.HPVirtualRooms14\x22|\x27WebHPVCInstall\.HPVirtualRooms14\x27)\s*\)(\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot)\s*|.*(?P=n)\s*\.\s*(AuthenticationURL|PortalAPIURL|cabroot))\s*=/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13354 WEB-ACTIVEX HP Virtual Rooms ActiveX function call access 27384 attempted-user 2008-0437 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"W|00|e|00|b|00|H|00|P|00|V|00|C|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|.|00|H|00|P|00|V|00|i|00|r|00|t|00|u|00|a|00|l|00|R|00|o|00|o|00|m|00|s|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)W\x00e\x00b\x00H\x00P\x00V\x00C\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00.\x00H\x00P\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00o\x00o\x00m\x00s\x001\x004\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)W\x00e\x00b\x00H\x00P\x00V\x00C\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00.\x00H\x00P\x00V\x00i\x00r\x00t\x00u\x00a\x00l\x00R\x00o\x00o\x00m\x00s\x001\x004\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13355 WEB-ACTIVEX HP Virtual Rooms ActiveX function call unicode access 21401 protocol-command-decode 2006-6296 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:26; dce_stub_data; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,65536,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 13367 NETBIOS DCERPC NCACN-IP-TCP spoolss GetPrinterData attempt 27756 attempted-user 2008-5711 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5C6698D9-7BE4-4122-8EC5-291D84DBD4A0\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13419 WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 27756 attempted-user 2008-5711 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|C|00|6|00|6|00|9|00|8|00|D|00|9|00|-|00|7|00|B|00|E|00|4|00|-|00|4|00|1|00|2|00|2|00|-|00|8|00|E|00|C|00|5|00|-|00|2|00|9|00|1|00|D|00|8|00|4|00|D|00|B|00|D|00|4|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00C\x006\x006\x009\x008\x00D\x009\x00-\x007\x00B\x00E\x004\x00-\x004\x001\x002\x002\x00-\x008\x00E\x00C\x005\x00-\x002\x009\x001\x00D\x008\x004\x00D\x00B\x00D\x004\x00A\x000\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13420 WEB-ACTIVEX Facebook Photo Uploader ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27756 attempted-user 2008-5711 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TheFacebook.FacebookPhotoUploader4.4.1"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=v)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TheFacebook\.FacebookPhotoUploader4\.4\.1\x22|\x27TheFacebook\.FacebookPhotoUploader4\.4\.1\x27)\s*\)(\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask)\s*|.*(?P=n)\s*\.\s*(Action|ExtractExif|ExtractIptc|FileMask))\s*=/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13421 WEB-ACTIVEX Facebook Photo Uploader ActiveX function call access www.microsoft.com/technet/security/advisory/953839.mspx 27756 attempted-user 2008-5711 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"T|00|h|00|e|00|F|00|a|00|c|00|e|00|b|00|o|00|o|00|k|00|.|00|F|00|a|00|c|00|e|00|b|00|o|00|o|00|k|00|P|00|h|00|o|00|t|00|o|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|4|00|.|00|4|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)T\x00h\x00e\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00.\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00P\x00h\x00o\x00t\x00o\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x004\x00.\x004\x00.\x001\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q10>\x22|\x27|)T\x00h\x00e\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00.\x00F\x00a\x00c\x00e\x00b\x00o\x00o\x00k\x00P\x00h\x00o\x00t\x00o\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x004\x00.\x004\x00.\x001\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13422 WEB-ACTIVEX Facebook Photo Uploader ActiveX function call unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27527 attempted-user 2007-5602 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7DD62E58-5FA8-11D2-AFB7-00104B64F126"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7DD62E58-5FA8-11D2-AFB7-00104B64F126\s*}?\s*(?P=q6)(\s|>)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13423 WEB-ACTIVEX SwiftView ActiveX clsid access www.swiftview.com/tech/security/bulletins/SBSV-07-10-02.htm 27527 attempted-user 2007-5602 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|D|00|D|00|6|00|2|00|E|00|5|00|8|00|-|00|5|00|F|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|A|00|F|00|B|00|7|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|4|00|F|00|1|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q7>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13424 WEB-ACTIVEX SwiftView ActiveX clsid unicode access www.swiftview.com/tech/security/bulletins/SBSV-07-10-02.htm 27579 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5F810AFC-BB5F-4416-BE63-E01DD117BD6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddImage|AddButton)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5F810AFC-BB5F-4416-BE63-E01DD117BD6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddImage|AddButton))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13426 WEB-ACTIVEX Yahoo Music JukeBox DataGrid ActiveX clsid access 27579 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|F|00|8|00|1|00|0|00|A|00|F|00|C|00|-|00|B|00|B|00|5|00|F|00|-|00|4|00|4|00|1|00|6|00|-|00|B|00|E|00|6|00|3|00|-|00|E|00|0|00|1|00|D|00|D|00|1|00|1|00|7|00|B|00|D|00|6|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13427 WEB-ACTIVEX Yahoo Music JukeBox DataGrid ActiveX clsid unicode access 27579 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YMP.YMPDatagrid"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YMP\.YMPDatagrid\x22|\x27YMP\.YMPDatagrid\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AddImage|AddButton)\s*|.*(?P=v)\s*\.\s*(AddImage|AddButton)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YMP\.YMPDatagrid\x22|\x27YMP\.YMPDatagrid\x27)\s*\)(\s*\.\s*(AddImage|AddButton)\s*|.*(?P=n)\s*\.\s*(AddImage|AddButton)\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13428 WEB-ACTIVEX Yahoo Music JukeBox DataGrid ActiveX function call access 27579 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|M|00|P|00|.|00|Y|00|M|00|P|00|D|00|a|00|t|00|a|00|g|00|r|00|i|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)Y\x00M\x00P\x00.\x00Y\x00M\x00P\x00D\x00a\x00t\x00a\x00g\x00r\x00i\x00d\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)Y\x00M\x00P\x00.\x00Y\x00M\x00P\x00D\x00a\x00t\x00a\x00g\x00r\x00i\x00d\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13429 WEB-ACTIVEX Yahoo Music JukeBox DataGrid ActiveX function call unicode access 27578 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"22FD7C0A-850C-4A53-9821-0B0915C96139"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22FD7C0A-850C-4A53-9821-0B0915C96139\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(AddBitmap)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22FD7C0A-850C-4A53-9821-0B0915C96139\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(AddBitmap))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13430 WEB-ACTIVEX Yahoo Music JukeBox MediaGrid ActiveX clsid access 27578 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|F|00|D|00|7|00|C|00|0|00|A|00|-|00|8|00|5|00|0|00|C|00|-|00|4|00|A|00|5|00|3|00|-|00|9|00|8|00|2|00|1|00|-|00|0|00|B|00|0|00|9|00|1|00|5|00|C|00|9|00|6|00|1|00|3|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13431 WEB-ACTIVEX Yahoo Music JukeBox MediaGrid ActiveX clsid unicode access 27578 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YMG.YMGMediaGridAx"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YMG\.YMGMediaGridAx\x22|\x27YMG\.YMGMediaGridAx\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddBitmap\s*|.*(?P=v)\s*\.\s*AddBitmap\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YMG\.YMGMediaGridAx\x22|\x27YMG\.YMGMediaGridAx\x27)\s*\)(\s*\.\s*AddBitmap\s*|.*(?P=n)\s*\.\s*AddBitmap\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13432 WEB-ACTIVEX Yahoo Music JukeBox MediaGrid ActiveX function call access 27578 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|M|00|G|00|.|00|Y|00|M|00|G|00|M|00|e|00|d|00|i|00|a|00|G|00|r|00|i|00|d|00|A|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)Y\x00M\x00G\x00.\x00Y\x00M\x00G\x00M\x00e\x00d\x00i\x00a\x00G\x00r\x00i\x00d\x00A\x00x\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)Y\x00M\x00G\x00.\x00Y\x00M\x00G\x00M\x00e\x00d\x00i\x00a\x00G\x00r\x00i\x00d\x00A\x00x\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13433 WEB-ACTIVEX Yahoo Music JukeBox MediaGrid ActiveX function call unicode access 27626 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"61F5C358-60FB-4A23-A312-D2B556620F20"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(hgs_startNotify)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(hgs_startNotify))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13446 WEB-ACTIVEX GlobalLink HanGamePlugin ActiveX clsid access 27626 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|1|00|F|00|5|00|C|00|3|00|5|00|8|00|-|00|6|00|0|00|F|00|B|00|-|00|4|00|A|00|2|00|3|00|-|00|A|00|3|00|1|00|2|00|-|00|D|00|2|00|B|00|5|00|5|00|6|00|6|00|2|00|0|00|F|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13447 WEB-ACTIVEX GlobalLink HanGamePlugin ActiveX clsid unicode access attempted-user 2008-0078 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13453, service http, policy balanced-ips drop, policy security-ips drop; 13453 WEB-CLIENT Microsoft DXLUTBuilder ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-010.mspx attempted-user 2008-0078 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13455, service http, policy balanced-ips drop, policy security-ips drop; 13455 WEB-CLIENT Microsoft DXLUTBuilder ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-010.mspx attempted-user 2007-0065 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13457, service http, policy balanced-ips drop, policy security-ips drop; 13457 WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-008.mspx attempted-user 2007-0065 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13459, service http, policy balanced-ips drop, policy security-ips drop; 13459 WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-008.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".wps"; nocase; http_uri; flowbits:set, works.download; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 13465 WEB-CLIENT Microsoft Works file download request 27657 attempted-user 2007-0216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,works.download; metadata: engine shared, soid 3|13466, service http, policy balanced-ips drop, policy security-ips drop; 13466 WEB-CLIENT Microsoft Works file converter file section length headers memory corruption attempt www.microsoft.com/technet/security/bulletin/ms08-011.mspx attempted-user 2008-0104 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pub; metadata: engine shared, soid 3|13471, service http, policy security-ips drop; 13471 EXPLOIT Microsoft Publisher invalid pathname overwrite www.microsoft.com/technet/security/bulletin/MS08-012.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".pub"; fast_pattern; nocase; http_uri; flowbits:set,http.pub; flowbits:noalert; metadata:service http; classtype:misc-activity; 13473 WEB-MISC Microsoft Publisher file download attempted-user 2008-0080 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13474, service http, policy balanced-ips drop, policy security-ips drop; 13474 WEB-CLIENT Microsoft WebDAV MiniRedir remote code execution attempt www.microsoft.com/technet/security/bulletin/ms08-007.mspx 31370 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ExecuteRequest|GetDriverFile|UploadPrinterDriver|UploadResource|GetPrinterURLlist)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(ExecuteRequest|GetDriverFile|UploadPrinterDriver|UploadResource|GetPrinterURLlist))/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13523 WEB-ACTIVEX Novell iPrint ActiveX clsid access support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html 31370 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|6|00|7|00|2|00|3|00|f|00|9|00|7|00|-|00|7|00|a|00|a|00|0|00|-|00|1|00|1|00|d|00|4|00|-|00|8|00|9|00|1|00|9|00|-|00|f|00|f|00|2|00|d|00|7|00|1|00|d|00|0|00|d|00|3|00|2|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x006\x007\x002\x003\x00f\x009\x007\x00-\x007\x00a\x00a\x000\x00-\x001\x001\x00d\x004\x00-\x008\x009\x001\x009\x00-\x00f\x00f\x002\x00d\x007\x001\x00d\x000\x00d\x003\x002\x00c\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13524 WEB-ACTIVEX Novell iPrint ActiveX clsid unicode access support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html 31370 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ienipp.Novell iPrint Control"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x22|\x27ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ExecuteRequest|GetDriverFile|UploadPrinterDriver|UploadResource|GetPrinterURLlist)\s*|.*(?P=v)\s*\.\s*(ExecuteRequest|GetDriverFile|UploadPrinterDriver|UploadResource|GetPrinterURLlist)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x22|\x27ienipp\.Novell\s*iPrint\s*Control(\.\d)?\x27)\s*\)(\s*\.\s*(ExecuteRequest|GetDriverFile|UploadPrinterDriver|UploadResource|GetPrinterURLlist)\s*|.*(?P=n)\s*\.\s*(ExecuteRequest|GetDriverFile|UploadPrinterDriver|UploadResource|GetPrinterURLlist)\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13525 WEB-ACTIVEX Novell iPrint ActiveX function call access support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html 31370 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"i|00|e|00|n|00|i|00|p|00|p|00|.|00|N|00|o|00|v|00|e|00|l|00|l|00| |00|i|00|P|00|r|00|i|00|n|00|t|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)i\x00e\x00n\x00i\x00p\x00p\x00.\x00N\x00o\x00v\x00e\x00l\x00l\x00(\s\x00)*i\x00P\x00r\x00i\x00n\x00t\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)i\x00e\x00n\x00i\x00p\x00p\x00.\x00N\x00o\x00v\x00e\x00l\x00l\x00(\s\x00)*i\x00P\x00r\x00i\x00n\x00t\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13526 WEB-ACTIVEX Novell iPrint ActiveX function call unicode access support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(url)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13527 WEB-ACTIVEX D-Link MPEG4 SHM Audio Control ActiveX clsid access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|9|00|3|00|B|00|4|00|7|00|F|00|D|00|-|00|9|00|B|00|F|00|6|00|-|00|4|00|D|00|A|00|8|00|-|00|9|00|7|00|F|00|C|00|-|00|9|00|2|00|7|00|0|00|B|00|9|00|D|00|6|00|4|00|A|00|6|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13528 WEB-ACTIVEX D-Link MPEG4 SHM Audio Control ActiveX clsid unicode access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VAPgDecoder.VaPgCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VAPgDecoder\.VaPgCtrl\x22|\x27VAPgDecoder\.VaPgCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VAPgDecoder\.VaPgCtrl\x22|\x27VAPgDecoder\.VaPgCtrl\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13529 WEB-ACTIVEX D-Link MPEG4 SHM Audio Control ActiveX function call access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|A|00|P|00|g|00|D|00|e|00|c|00|o|00|d|00|e|00|r|00|.|00|V|00|a|00|P|00|g|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00A\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00A\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13530 WEB-ACTIVEX D-Link MPEG4 SHM Audio Control ActiveX function call unicode access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*210D0CBC-8B17-48D1-B294-1A338DD2EB3A\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(url)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*210D0CBC-8B17-48D1-B294-1A338DD2EB3A\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13531 WEB-ACTIVEX 4xem VatCtrl ActiveX clsid access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|1|00|0|00|D|00|0|00|C|00|B|00|C|00|-|00|8|00|B|00|1|00|7|00|-|00|4|00|8|00|D|00|1|00|-|00|B|00|2|00|9|00|4|00|-|00|1|00|A|00|3|00|3|00|8|00|D|00|D|00|2|00|E|00|B|00|3|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13532 WEB-ACTIVEX 4xem VatCtrl ActiveX clsid unicode access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VATDecoder.VatCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VATDecoder\.VatCtrl\x22|\x27VATDecoder\.VatCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VATDecoder\.VatCtrl\x22|\x27VATDecoder\.VatCtrl\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13533 WEB-ACTIVEX 4xem VatCtrl ActiveX function call access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|A|00|T|00|D|00|e|00|c|00|o|00|d|00|e|00|r|00|.|00|V|00|a|00|t|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)V\x00A\x00T\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00t\x00C\x00t\x00r\x00l\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)V\x00A\x00T\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00V\x00a\x00t\x00C\x00t\x00r\x00l\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13534 WEB-ACTIVEX 4xem VatCtrl ActiveX function call unicode access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*45830FF9-D9E6-4F41-86ED-B266933D8E90\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(url)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*45830FF9-D9E6-4F41-86ED-B266933D8E90\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(url))\s*=/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13535 WEB-ACTIVEX Vivotek RTSP MPEG4 SP Control ActiveX clsid access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|5|00|8|00|3|00|0|00|F|00|F|00|9|00|-|00|D|00|9|00|E|00|6|00|-|00|4|00|F|00|4|00|1|00|-|00|8|00|6|00|E|00|D|00|-|00|B|00|2|00|6|00|6|00|9|00|3|00|3|00|D|00|8|00|E|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q13>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13536 WEB-ACTIVEX Vivotek RTSP MPEG4 SP Control ActiveX clsid unicode access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RtspVaPgDecoder.RtspVaPgCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22RtspVaPgDecoder\.RtspVaPgCtrl\x22|\x27RtspVaPgDecoder\.RtspVaPgCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*url\s*|.*(?P=v)\s*\.\s*url\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RtspVaPgDecoder\.RtspVaPgCtrl\x22|\x27RtspVaPgDecoder\.RtspVaPgCtrl\x27)\s*\)(\s*\.\s*url\s*|.*(?P=n)\s*\.\s*url)\s*=/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13537 WEB-ACTIVEX Vivotek RTSP MPEG4 SP Control ActiveX function call access 28010 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"R|00|t|00|s|00|p|00|V|00|a|00|P|00|g|00|D|00|e|00|c|00|o|00|d|00|e|00|r|00|.|00|R|00|t|00|s|00|p|00|V|00|a|00|P|00|g|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q15>\x22|\x27|)R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00D\x00e\x00c\x00o\x00d\x00e\x00r\x00.\x00R\x00t\x00s\x00p\x00V\x00a\x00P\x00g\x00C\x00t\x00r\x00l\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13538 WEB-ACTIVEX Vivotek RTSP MPEG4 SP Control ActiveX function call unicode access 26904 attempted-user 2007-6016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"22acd16f-99eb-11d2-9bb3-00400561d975"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22acd16f-99eb-11d2-9bb3-00400561d975\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(save)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22acd16f-99eb-11d2-9bb3-00400561d975\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(save))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13539 WEB-ACTIVEX Symantec Backup Exec ActiveX clsid access www.symantec.com/avcenter/security/Content/2008.02.28.html 26904 attempted-user 2007-6016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|a|00|c|00|d|00|1|00|6|00|f|00|-|00|9|00|9|00|e|00|b|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|b|00|b|00|3|00|-|00|0|00|0|00|4|00|0|00|0|00|5|00|6|00|1|00|d|00|9|00|7|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13540 WEB-ACTIVEX Symantec Backup Exec ActiveX clsid unicode access www.symantec.com/avcenter/security/Content/2008.02.28.html 26904 attempted-user 2007-6016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"iPVATLCalendar.PVCalendar"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22iPVATLCalendar\.PVCalendar\x22|\x27iPVATLCalendar\.PVCalendar\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*save\s*|.*(?P=v)\s*\.\s*save\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iPVATLCalendar\.PVCalendar\x22|\x27iPVATLCalendar\.PVCalendar\x27)\s*\)(\s*\.\s*save\s*|.*(?P=n)\s*\.\s*save\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13541 WEB-ACTIVEX Symantec Backup Exec ActiveX function call access www.symantec.com/avcenter/security/Content/2008.02.28.html 26904 attempted-user 2007-6016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"i|00|P|00|V|00|A|00|T|00|L|00|C|00|a|00|l|00|e|00|n|00|d|00|a|00|r|00|.|00|P|00|V|00|C|00|a|00|l|00|e|00|n|00|d|00|a|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)i\x00P\x00V\x00A\x00T\x00L\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00.\x00P\x00V\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)i\x00P\x00V\x00A\x00T\x00L\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00.\x00P\x00V\x00C\x00a\x00l\x00e\x00n\x00d\x00a\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13542 WEB-ACTIVEX Symantec Backup Exec ActiveX function call unicode access www.symantec.com/avcenter/security/Content/2008.02.28.html 28058 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13543 WEB-ACTIVEX Learn2 STRunner ActiveX clsid access 28058 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|B|00|7|00|2|00|C|00|C|00|A|00|4|00|-|00|5|00|F|00|1|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|C|00|B|00|5|00|-|00|0|00|0|00|0|00|0|00|C|00|0|00|E|00|C|00|9|00|F|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13544 WEB-ACTIVEX Learn2 STRunner ActiveX clsid unicode access 28058 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"STRunner.Popup1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22STRunner\.Popup1\x22|\x27STRunner\.Popup1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22STRunner\.Popup1\x22|\x27STRunner\.Popup1\x27)\s*\)/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13545 WEB-ACTIVEX Learn2 STRunner ActiveX function call access 28058 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|T|00|R|00|u|00|n|00|n|00|e|00|r|00|.|00|P|00|o|00|p|00|u|00|p|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)S\x00T\x00R\x00u\x00n\x00n\x00e\x00r\x00.\x00P\x00o\x00p\x00u\x00p\x001\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)S\x00T\x00R\x00u\x00n\x00n\x00e\x00r\x00.\x00P\x00o\x00p\x00u\x00p\x001\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13546 WEB-ACTIVEX Learn2 STRunner ActiveX function call unicode access 27715 attempted-user 2008-0748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9A7F56F-C40F-4928-8C6F-7A72F2A25222\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetLogging)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9A7F56F-C40F-4928-8C6F-7A72F2A25222\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetLogging))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13547 WEB-ACTIVEX Sony ImageStation ActiveX clsid access 27715 attempted-user 2008-0748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|9|00|A|00|7|00|F|00|5|00|6|00|F|00|-|00|C|00|4|00|0|00|F|00|-|00|4|00|9|00|2|00|8|00|-|00|8|00|C|00|6|00|F|00|-|00|7|00|A|00|7|00|2|00|F|00|2|00|A|00|2|00|5|00|2|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13548 WEB-ACTIVEX Sony ImageStation ActiveX clsid unicode access 27715 attempted-user 2008-0748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AxRUploadServer.AxRUploadControl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22AxRUploadServer\.AxRUploadControl\x22|\x27AxRUploadServer\.AxRUploadControl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetLogging\s*|.*(?P=v)\s*\.\s*SetLogging\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AxRUploadServer\.AxRUploadControl\x22|\x27AxRUploadServer\.AxRUploadControl\x27)\s*\)(\s*\.\s*SetLogging\s*|.*(?P=n)\s*\.\s*SetLogging\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13549 WEB-ACTIVEX Sony ImageStation ActiveX function call access 27715 attempted-user 2008-0748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|x|00|R|00|U|00|p|00|l|00|o|00|a|00|d|00|S|00|e|00|r|00|v|00|e|00|r|00|.|00|A|00|x|00|R|00|U|00|p|00|l|00|o|00|a|00|d|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00A\x00x\x00R\x00U\x00p\x00l\x00o\x00a\x00d\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13550 WEB-ACTIVEX Sony ImageStation ActiveX function call unicode access attempted-user 2008-0118 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|13572, service http, policy balanced-ips drop, policy security-ips drop; 13572 WEB-CLIENT Microsoft Powerpoint malformed shapeid arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/ms08-016.mspx misc-activity 2008-0112 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".slk"; nocase; http_uri; pcre:"/^[^\?]*\.slk([\?\x5c\x2f]|$)/Usi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; 13583 WEB-CLIENT Microsoft SYmbolic LinK file download request www.microsoft.com/technet/security/Bulletin/MS08-014.mspx misc-activity 2008-0112 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,csv.download; content:"ID|3B|P"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; 13585 WEB-CLIENT Microsoft SYmbolic LinK file download www.microsoft.com/technet/security/Bulletin/MS08-014.mspx 28118 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"855F3B16-6D32-4FE6-8A56-BBB695989046"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*855F3B16-6D32-4FE6-8A56-BBB695989046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(IsChecked|GetPropertyById)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*855F3B16-6D32-4FE6-8A56-BBB695989046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(IsChecked|GetPropertyById))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13595 WEB-ACTIVEX ICQ Toolbar toolbaru.dll ActiveX clsid access 28118 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|5|00|5|00|F|00|3|00|B|00|1|00|6|00|-|00|6|00|D|00|3|00|2|00|-|00|4|00|F|00|E|00|6|00|-|00|8|00|A|00|5|00|6|00|-|00|B|00|B|00|B|00|6|00|9|00|5|00|9|00|8|00|9|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13596 WEB-ACTIVEX ICQ Toolbar toolbaru.dll ActiveX clsid unicode access 28118 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"XTTB00001.XTTB00001"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22XTTB00001\.XTTB00001\x22|\x27XTTB00001\.XTTB00001\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(IsChecked|GetPropertyById)\s*|.*(?P=v)\s*\.\s*(IsChecked|GetPropertyById)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22XTTB00001\.XTTB00001\x22|\x27XTTB00001\.XTTB00001\x27)\s*\)(\s*\.\s*(IsChecked|GetPropertyById)\s*|.*(?P=n)\s*\.\s*(IsChecked|GetPropertyById)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13597 WEB-ACTIVEX ICQ Toolbar toolbaru.dll ActiveX function call access 28118 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"X|00|T|00|T|00|B|00|0|00|0|00|0|00|0|00|1|00|.|00|X|00|T|00|T|00|B|00|0|00|0|00|0|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00.\x00X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00.\x00X\x00T\x00T\x00B\x000\x000\x000\x000\x001\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13598 WEB-ACTIVEX ICQ Toolbar toolbaru.dll ActiveX function call unicode access 28172 attempted-user 2008-1307 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D82303B7-A754-4DCB-8AFC-8CF99435AACE"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D82303B7-A754-4DCB-8AFC-8CF99435AACE\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SetUninstallName)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D82303B7-A754-4DCB-8AFC-8CF99435AACE\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SetUninstallName))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13599 WEB-ACTIVEX Kingsoft Antivirus Online Update Module ActiveX clsid access 28172 attempted-user 2008-1307 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|8|00|2|00|3|00|0|00|3|00|B|00|7|00|-|00|A|00|7|00|5|00|4|00|-|00|4|00|D|00|C|00|B|00|-|00|8|00|A|00|F|00|C|00|-|00|8|00|C|00|F|00|9|00|9|00|4|00|3|00|5|00|A|00|A|00|C|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13600 WEB-ACTIVEX Kingsoft Antivirus Online Update Module ActiveX clsid unicode access 28172 attempted-user 2008-1307 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"UpdateOcx2.KUpdateObj2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22UpdateOcx2\.KUpdateObj2\x22|\x27UpdateOcx2\.KUpdateObj2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetUninstallName\s*|.*(?P=v)\s*\.\s*SetUninstallName\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22UpdateOcx2\.KUpdateObj2\x22|\x27UpdateOcx2\.KUpdateObj2\x27)\s*\)(\s*\.\s*SetUninstallName\s*|.*(?P=n)\s*\.\s*SetUninstallName\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13601 WEB-ACTIVEX Kingsoft Antivirus Online Update Module ActiveX function call access 28172 attempted-user 2008-1307 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"U|00|p|00|d|00|a|00|t|00|e|00|O|00|c|00|x|00|2|00|.|00|K|00|U|00|p|00|d|00|a|00|t|00|e|00|O|00|b|00|j|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)U\x00p\x00d\x00a\x00t\x00e\x00O\x00c\x00x\x002\x00.\x00K\x00U\x00p\x00d\x00a\x00t\x00e\x00O\x00b\x00j\x002\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)U\x00p\x00d\x00a\x00t\x00e\x00O\x00c\x00x\x002\x00.\x00K\x00U\x00p\x00d\x00a\x00t\x00e\x00O\x00b\x00j\x002\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13602 WEB-ACTIVEX Kingsoft Antivirus Online Update Module ActiveX function call unicode access attempted-admin 2006-5583 udp $EXTERNAL_NET any -> $HOME_NET 161 content:"0"; depth:1; content:"|02|"; within:1; distance:1; content:!"|00|"; within:1; distance:1; content:"|04|"; distance:2; byte_jump:1, 0, relative; content:"|A5|"; content:"|02 01 00 02 01 04 02 01 03|"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; metadata:policy security-ips drop, service snmp; classtype:attempted-admin; 13619 SPECIFIC-THREATS Microsoft getBulkRequest memory corruption attempt www.microsoft.com/technet/security/bulletin/ms06-074.mspx 28268 attempted-user 2008-1472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddColumn)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddColumn))\s*\(/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13621 WEB-ACTIVEX CA BrightStor ListCtrl ActiveX clsid access 28268 attempted-user 2008-1472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|F|00|6|00|E|00|F|00|F|00|F|00|3|00|-|00|4|00|5|00|5|00|8|00|-|00|4|00|C|00|4|00|C|00|-|00|A|00|D|00|A|00|F|00|-|00|A|00|8|00|7|00|8|00|9|00|1|00|C|00|5|00|F|00|3|00|A|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13622 WEB-ACTIVEX CA BrightStor ListCtrl ActiveX clsid unicode access 28268 attempted-user 2008-1472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LISTCTRL.ListCtrlCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LISTCTRL\.ListCtrlCtrl\x22|\x27LISTCTRL\.ListCtrlCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddColumn\s*|.*(?P=v)\s*\.\s*AddColumn\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LISTCTRL\.ListCtrlCtrl\x22|\x27LISTCTRL\.ListCtrlCtrl\x27)\s*\)(\s*\.\s*AddColumn\s*|.*(?P=n)\s*\.\s*AddColumn\s*)\s*\(/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13623 WEB-ACTIVEX CA BrightStor ListCtrl ActiveX function call access 28268 attempted-user 2008-1472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|I|00|S|00|T|00|C|00|T|00|R|00|L|00|.|00|L|00|i|00|s|00|t|00|C|00|t|00|r|00|l|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)L\x00I\x00S\x00T\x00C\x00T\x00R\x00L\x00.\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)L\x00I\x00S\x00T\x00C\x00T\x00R\x00L\x00.\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13624 WEB-ACTIVEX CA BrightStor ListCtrl ActiveX function call unicode access 26468 suspicious-filename-detect 2008-1092 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:suspicious-filename-detect; metadata: engine shared, soid 3|13626, service http, policy balanced-ips drop, policy security-ips drop; 13626 WEB-CLIENT Microsoft Access download attempt www.microsoft.com/technet/security/bulletin/MS08-028.mspx 26468 suspicious-filename-detect 2008-1092 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:suspicious-filename-detect; metadata: engine shared, soid 3|13629, service http, policy balanced-ips drop, policy security-ips drop; 13629 WEB-CLIENT Microsoft Access JSDB download attempt www.microsoft.com/technet/security/bulletin/MS08-028.mspx 26468 suspicious-filename-detect 2008-1092 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:suspicious-filename-detect; metadata: engine shared, soid 3|13630, service http, policy balanced-ips drop, policy security-ips drop; 13630 WEB-CLIENT Microsoft Access TJDB download attempt www.microsoft.com/technet/security/bulletin/MS08-028.mspx 26468 suspicious-filename-detect 2008-1092 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:suspicious-filename-detect; metadata: engine shared, soid 3|13633, service http, policy balanced-ips drop, policy security-ips drop; 13633 WEB-CLIENT Microsoft Access MSISAM download attempt www.microsoft.com/technet/security/bulletin/MS08-028.mspx 28292 attempted-user 2007-6254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B20D9D6A-0DEC-4d76-9BEF-175896006B4A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B20D9D6A-0DEC-4d76-9BEF-175896006B4A\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13657 WEB-ACTIVEX BusinessObjects RptViewerAx ActiveX clsid access 28292 attempted-user 2007-6254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|2|00|0|00|D|00|9|00|D|00|6|00|A|00|-|00|0|00|D|00|E|00|C|00|-|00|4|00|d|00|7|00|6|00|-|00|9|00|B|00|E|00|F|00|-|00|1|00|7|00|5|00|8|00|9|00|6|00|0|00|0|00|6|00|B|00|4|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13658 WEB-ACTIVEX BusinessObjects RptViewerAx ActiveX clsid unicode access 28292 attempted-user 2007-6254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BusinessObjects.RptViewerAX"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22BusinessObjects\.RptViewerAX\x22|\x27BusinessObjects\.RptViewerAX\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BusinessObjects\.RptViewerAX\x22|\x27BusinessObjects\.RptViewerAX\x27)\s*\)/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13659 WEB-ACTIVEX BusinessObjects RptViewerAx ActiveX function call access 28292 attempted-user 2007-6254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|u|00|s|00|i|00|n|00|e|00|s|00|s|00|O|00|b|00|j|00|e|00|c|00|t|00|s|00|.|00|R|00|p|00|t|00|V|00|i|00|e|00|w|00|e|00|r|00|A|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)B\x00u\x00s\x00i\x00n\x00e\x00s\x00s\x00O\x00b\x00j\x00e\x00c\x00t\x00s\x00.\x00R\x00p\x00t\x00V\x00i\x00e\x00w\x00e\x00r\x00A\x00X\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)B\x00u\x00s\x00i\x00n\x00e\x00s\x00s\x00O\x00b\x00j\x00e\x00c\x00t\x00s\x00.\x00R\x00p\x00t\x00V\x00i\x00e\x00w\x00e\x00r\x00A\x00X\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13660 WEB-ACTIVEX BusinessObjects RptViewerAx ActiveX function call unicode access 28301 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*04FD48E6-0712-4937-B09E-F3D285B11D82\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*RemoveFileOrDir|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*04FD48E6-0712-4937-B09E-F3D285B11D82\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.RemoveFileOrDir)\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13661 WEB-ACTIVEX VeralSoft HTTP File Upload ActiveX clsid access 28301 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|4|00|F|00|D|00|4|00|8|00|E|00|6|00|-|00|0|00|7|00|1|00|2|00|-|00|4|00|9|00|3|00|7|00|-|00|B|00|0|00|9|00|E|00|-|00|F|00|3|00|D|00|2|00|8|00|5|00|B|00|1|00|1|00|D|00|8|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13662 WEB-ACTIVEX VeralSoft HTTP File Upload ActiveX clsid unicode access attempted-user 2008-1083 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,emf.request; metadata: engine shared, soid 3|13666, policy security-ips drop; 13666 WEB-CLIENT Microsoft GDI integer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-021.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13668, service http, policy balanced-ips drop, policy security-ips drop; 13668 WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13670, service http, policy balanced-ips drop, policy security-ips drop; 13670 WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13672, service http, policy balanced-ips drop, policy security-ips drop; 13672 WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13674, service http, policy balanced-ips drop, policy security-ips drop; 13674 WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1087 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".emf"; fast_pattern; nocase; http_uri; flowbits:set,emf.request; flowbits:noalert; classtype:attempted-user; 13678 MISC Microsoft EMF metafile access detected www.microsoft.com/technet/security/bulletin/MS08-021.mspx 28700 attempted-user 2008-1725 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24445430-F789-11CE-86F8-0020AFD8C6DB\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*WriteOFXDataFile|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24445430-F789-11CE-86F8-0020AFD8C6DB\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.WriteOFXDataFile)\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13679 WEB-ACTIVEX IBiz EBanking Integrator ActiveX clsid access 28700 attempted-user 2008-1725 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|4|00|4|00|4|00|5|00|4|00|3|00|0|00|-|00|F|00|7|00|8|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|6|00|F|00|8|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|D|00|8|00|C|00|6|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13680 WEB-ACTIVEX IBiz EBanking Integrator ActiveX clsid unicode access 28666 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AA07EBD2-EBDD-4BD6-9F8F-114BD513492C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA07EBD2-EBDD-4BD6-9F8F-114BD513492C\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(HttpSkin|SkinPath)|<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA07EBD2-EBDD-4BD6-9F8F-114BD513492C\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(HttpSkin|SkinPath))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13681 WEB-ACTIVEX CDNetworks Nefficient Download ActiveX clsid access 28666 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|A|00|0|00|7|00|E|00|B|00|D|00|2|00|-|00|E|00|B|00|D|00|D|00|-|00|4|00|B|00|D|00|6|00|-|00|9|00|F|00|8|00|F|00|-|00|1|00|1|00|4|00|B|00|D|00|5|00|1|00|3|00|4|00|9|00|2|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13682 WEB-ACTIVEX CDNetworks Nefficient Download ActiveX clsid unicode access 28666 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NeffyLauncher.NeffyLauncherCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NeffyLauncher\.NeffyLauncherCtl\x22|\x27NeffyLauncher\.NeffyLauncherCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(HttpSkin|SkinPath)\s*|.*(?P=v)\s*\.\s*(HttpSkin|SkinPath)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NeffyLauncher\.NeffyLauncherCtl\x22|\x27NeffyLauncher\.NeffyLauncherCtl\x27)\s*\)(\s*\.\s*(HttpSkin|SkinPath)\s*|.*(?P=n)\s*\.\s*(HttpSkin|SkinPath))\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13683 WEB-ACTIVEX CDNetworks Nefficient Download ActiveX function call access 28666 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|e|00|f|00|f|00|y|00|L|00|a|00|u|00|n|00|c|00|h|00|e|00|r|00|.|00|N|00|e|00|f|00|f|00|y|00|L|00|a|00|u|00|n|00|c|00|h|00|e|00|r|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q7>\x22|\x27|)N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00.\x00N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00C\x00t\x00l\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q8>\x22|\x27|)N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00.\x00N\x00e\x00f\x00f\x00y\x00L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00C\x00t\x00l\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13684 WEB-ACTIVEX CDNetworks Nefficient Download ActiveX function call unicode access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"39E861BD-E606-4733-8C79-FADDFD61DC8A"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39E861BD-E606-4733-8C79-FADDFD61DC8A\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(SaveLastError)|<object\s*[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39E861BD-E606-4733-8C79-FADDFD61DC8A\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveLastError))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13685 WEB-ACTIVEX Chilkat HTTP 1 ActiveX clsid access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|9|00|E|00|8|00|6|00|1|00|B|00|D|00|-|00|E|00|6|00|0|00|6|00|-|00|4|00|7|00|3|00|3|00|-|00|8|00|C|00|7|00|9|00|-|00|F|00|A|00|D|00|D|00|F|00|D|00|6|00|1|00|D|00|C|00|8|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q11>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q11)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13686 WEB-ACTIVEX Chilkat HTTP 1 ActiveX clsid unicode access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CHILKATHTTPLib.ChilkatHttp"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CHILKATHTTPLib\.ChilkatHttp\x22|\x27CHILKATHTTPLib\.ChilkatHttp\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=v)\s*\.\s*SaveLastError\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CHILKATHTTPLib\.ChilkatHttp\x22|\x27CHILKATHTTPLib\.ChilkatHttp\x27)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=n)\s*\.\s*SaveLastError\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13687 WEB-ACTIVEX Chilkat HTTP 1 ActiveX function call access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|H|00|I|00|L|00|K|00|A|00|T|00|H|00|T|00|T|00|P|00|L|00|i|00|b|00|.|00|C|00|h|00|i|00|l|00|k|00|a|00|t|00|H|00|t|00|t|00|p|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q12>\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q13>\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00(?P=q13)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13688 WEB-ACTIVEX Chilkat HTTP 1 ActiveX function call unicode access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B973393F-27C7-4781-877D-8626AAEDF119"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B973393F-27C7-4781-877D-8626AAEDF119\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(SaveLastError)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B973393F-27C7-4781-877D-8626AAEDF119\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(SaveLastError))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13689 WEB-ACTIVEX Chilkat HTTP 2 ActiveX clsid access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|9|00|7|00|3|00|3|00|9|00|3|00|F|00|-|00|2|00|7|00|C|00|7|00|-|00|4|00|7|00|8|00|1|00|-|00|8|00|7|00|7|00|D|00|-|00|8|00|6|00|2|00|6|00|A|00|A|00|E|00|D|00|F|00|1|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q16>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q16)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13690 WEB-ACTIVEX Chilkat HTTP 2 ActiveX clsid unicode access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CHILKATHTTPLib.ChilkatHttpRequest"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CHILKATHTTPLib\.ChilkatHttpRequest\x22|\x27CHILKATHTTPLib\.ChilkatHttpRequest\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=v)\s*\.\s*SaveLastError\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CHILKATHTTPLib\.ChilkatHttpRequest\x22|\x27CHILKATHTTPLib\.ChilkatHttpRequest\x27)\s*\)(\s*\.\s*SaveLastError\s*|.*(?P=n)\s*\.\s*SaveLastError\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13691 WEB-ACTIVEX Chilkat HTTP 2 ActiveX function call access 28546 attempted-user 2008-1647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|H|00|I|00|L|00|K|00|A|00|T|00|H|00|T|00|T|00|P|00|L|00|i|00|b|00|.|00|C|00|h|00|i|00|l|00|k|00|a|00|t|00|H|00|t|00|t|00|p|00|R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q17>\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q18>\x22|\x27|)C\x00H\x00I\x00L\x00K\x00A\x00T\x00H\x00T\x00T\x00P\x00L\x00i\x00b\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00H\x00t\x00t\x00p\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(?P=q18)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13692 WEB-ACTIVEX Chilkat HTTP 2 ActiveX function call unicode access 28809 attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E6239EB3-E0B0-46DA-A215-CFA9B3B740C5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetColumnColor|SetColumnLabel)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetColumnColor|SetColumnLabel))\s*\(/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13699 WEB-ACTIVEX CA DSM gui_cm_ctrls ActiveX clsid access 28809 attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|6|00|2|00|3|00|9|00|E|00|B|00|3|00|-|00|E|00|0|00|B|00|0|00|-|00|4|00|6|00|D|00|A|00|-|00|A|00|2|00|1|00|5|00|-|00|C|00|F|00|A|00|9|00|B|00|3|00|B|00|7|00|4|00|0|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x002\x003\x009\x00E\x00B\x003\x00-\x00E\x000\x00B\x000\x00-\x004\x006\x00D\x00A\x00-\x00A\x002\x001\x005\x00-\x00C\x00F\x00A\x009\x00B\x003\x00B\x007\x004\x000\x00C\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13700 WEB-ACTIVEX CA DSM gui_cm_ctrls ActiveX clsid unicode access 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"17E67D4A-23A1-40D8-A049-EE34C0AF756A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q31>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17E67D4A-23A1-40D8-A049-EE34C0AF756A\s*}?\s*(?P=q31)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13720 WEB-ACTIVEX HP eSupportDiagnostics 3 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|7|00|E|00|6|00|7|00|D|00|4|00|A|00|-|00|2|00|3|00|A|00|1|00|-|00|4|00|0|00|D|00|8|00|-|00|A|00|0|00|4|00|9|00|-|00|E|00|E|00|3|00|4|00|C|00|0|00|A|00|F|00|7|00|5|00|6|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q32>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x007\x00E\x006\x007\x00D\x004\x00A\x00-\x002\x003\x00A\x001\x00-\x004\x000\x00D\x008\x00-\x00A\x000\x004\x009\x00-\x00E\x00E\x003\x004\x00C\x000\x00A\x00F\x007\x005\x006\x00A\x00(}\x00)?(?P=q32)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13721 WEB-ACTIVEX HP eSupportDiagnostics 3 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"42C68651-1700-4750-A81F-A1F5110E0F66"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q33>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42C68651-1700-4750-A81F-A1F5110E0F66\s*}?\s*(?P=q33)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13722 WEB-ACTIVEX HP eSupportDiagnostics 4 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|C|00|6|00|8|00|6|00|5|00|1|00|-|00|1|00|7|00|0|00|0|00|-|00|4|00|7|00|5|00|0|00|-|00|A|00|8|00|1|00|F|00|-|00|A|00|1|00|F|00|5|00|1|00|1|00|0|00|E|00|0|00|F|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q34>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x00C\x006\x008\x006\x005\x001\x00-\x001\x007\x000\x000\x00-\x004\x007\x005\x000\x00-\x00A\x008\x001\x00F\x00-\x00A\x001\x00F\x005\x001\x001\x000\x00E\x000\x00F\x006\x006\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13723 WEB-ACTIVEX HP eSupportDiagnostics 4 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4774922A-8983-4ECC-94FD-7235F06F53A1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q35>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4774922A-8983-4ECC-94FD-7235F06F53A1\s*}?\s*(?P=q35)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13724 WEB-ACTIVEX HP eSupportDiagnostics 5 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|7|00|4|00|9|00|2|00|2|00|A|00|-|00|8|00|9|00|8|00|3|00|-|00|4|00|E|00|C|00|C|00|-|00|9|00|4|00|F|00|D|00|-|00|7|00|2|00|3|00|5|00|F|00|0|00|6|00|F|00|5|00|3|00|A|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q36>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x007\x004\x009\x002\x002\x00A\x00-\x008\x009\x008\x003\x00-\x004\x00E\x00C\x00C\x00-\x009\x004\x00F\x00D\x00-\x007\x002\x003\x005\x00F\x000\x006\x00F\x005\x003\x00A\x001\x00(}\x00)?(?P=q36)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13725 WEB-ACTIVEX HP eSupportDiagnostics 5 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"60178279-6D62-43af-A336-77925651A4C6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*60178279-6D62-43af-A336-77925651A4C6\s*}?\s*(?P=q37)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13726 WEB-ACTIVEX HP eSupportDiagnostics 6 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|0|00|1|00|7|00|8|00|2|00|7|00|9|00|-|00|6|00|D|00|6|00|2|00|-|00|4|00|3|00|a|00|f|00|-|00|A|00|3|00|3|00|6|00|-|00|7|00|7|00|9|00|2|00|5|00|6|00|5|00|1|00|A|00|4|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q38>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x000\x001\x007\x008\x002\x007\x009\x00-\x006\x00D\x006\x002\x00-\x004\x003\x00a\x00f\x00-\x00A\x003\x003\x006\x00-\x007\x007\x009\x002\x005\x006\x005\x001\x00A\x004\x00C\x006\x00(}\x00)?(?P=q38)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13727 WEB-ACTIVEX HP eSupportDiagnostics 6 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6470DE80-1635-4B5D-93A3-3701CE148A79"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q39>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6470DE80-1635-4B5D-93A3-3701CE148A79\s*}?\s*(?P=q39)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13728 WEB-ACTIVEX HP eSupportDiagnostics 7 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|4|00|7|00|0|00|D|00|E|00|8|00|0|00|-|00|1|00|6|00|3|00|5|00|-|00|4|00|B|00|5|00|D|00|-|00|9|00|3|00|A|00|3|00|-|00|3|00|7|00|0|00|1|00|C|00|E|00|1|00|4|00|8|00|A|00|7|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q40>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x004\x007\x000\x00D\x00E\x008\x000\x00-\x001\x006\x003\x005\x00-\x004\x00B\x005\x00D\x00-\x009\x003\x00A\x003\x00-\x003\x007\x000\x001\x00C\x00E\x001\x004\x008\x00A\x007\x009\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13729 WEB-ACTIVEX HP eSupportDiagnostics 7 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"784F2933-6BDD-4E5F-B1BA-A8D99B603649"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q41>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*784F2933-6BDD-4E5F-B1BA-A8D99B603649\s*}?\s*(?P=q41)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13730 WEB-ACTIVEX HP eSupportDiagnostics 8 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|8|00|4|00|F|00|2|00|9|00|3|00|3|00|-|00|6|00|B|00|D|00|D|00|-|00|4|00|E|00|5|00|F|00|-|00|B|00|1|00|B|00|A|00|-|00|A|00|8|00|D|00|9|00|9|00|B|00|6|00|0|00|3|00|6|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q42>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x008\x004\x00F\x002\x009\x003\x003\x00-\x006\x00B\x00D\x00D\x00-\x004\x00E\x005\x00F\x00-\x00B\x001\x00B\x00A\x00-\x00A\x008\x00D\x009\x009\x00B\x006\x000\x003\x006\x004\x009\x00(}\x00)?(?P=q42)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13731 WEB-ACTIVEX HP eSupportDiagnostics 8 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"910E7ADE-7F75-402D-A4A6-BB1A82362FCA"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q43>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*910E7ADE-7F75-402D-A4A6-BB1A82362FCA\s*}?\s*(?P=q43)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13732 WEB-ACTIVEX HP eSupportDiagnostics 9 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|1|00|0|00|E|00|7|00|A|00|D|00|E|00|-|00|7|00|F|00|7|00|5|00|-|00|4|00|0|00|2|00|D|00|-|00|A|00|4|00|A|00|6|00|-|00|B|00|B|00|1|00|A|00|8|00|2|00|3|00|6|00|2|00|F|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q44>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x000\x00E\x007\x00A\x00D\x00E\x00-\x007\x00F\x007\x005\x00-\x004\x000\x002\x00D\x00-\x00A\x004\x00A\x006\x00-\x00B\x00B\x001\x00A\x008\x002\x003\x006\x002\x00F\x00C\x00A\x00(}\x00)?(?P=q44)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13733 WEB-ACTIVEX HP eSupportDiagnostics 9 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"93441C07-E57E-4086-B912-F323D741A9D8"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93441C07-E57E-4086-B912-F323D741A9D8\s*}?\s*(?P=q4)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13734 WEB-ACTIVEX HP eSupportDiagnostics 10 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|3|00|4|00|4|00|1|00|C|00|0|00|7|00|-|00|E|00|5|00|7|00|E|00|-|00|4|00|0|00|8|00|6|00|-|00|B|00|9|00|1|00|2|00|-|00|F|00|3|00|2|00|3|00|D|00|7|00|4|00|1|00|A|00|9|00|D|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q5>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x003\x004\x004\x001\x00C\x000\x007\x00-\x00E\x005\x007\x00E\x00-\x004\x000\x008\x006\x00-\x00B\x009\x001\x002\x00-\x00F\x003\x002\x003\x00D\x007\x004\x001\x00A\x009\x00D\x008\x00(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13735 WEB-ACTIVEX HP eSupportDiagnostics 10 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A95845D8-8463-4605-B5FB-4F8CFBAC5C47"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A95845D8-8463-4605-B5FB-4F8CFBAC5C47\s*}?\s*(?P=q6)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13736 WEB-ACTIVEX HP eSupportDiagnostics 11 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|9|00|5|00|8|00|4|00|5|00|D|00|8|00|-|00|8|00|4|00|6|00|3|00|-|00|4|00|6|00|0|00|5|00|-|00|B|00|5|00|F|00|B|00|-|00|4|00|F|00|8|00|C|00|F|00|B|00|A|00|C|00|5|00|C|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q7>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x009\x005\x008\x004\x005\x00D\x008\x00-\x008\x004\x006\x003\x00-\x004\x006\x000\x005\x00-\x00B\x005\x00F\x00B\x00-\x004\x00F\x008\x00C\x00F\x00B\x00A\x00C\x005\x00C\x004\x007\x00(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13737 WEB-ACTIVEX HP eSupportDiagnostics 11 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AB049B11-607B-46C8-BBF7-F4D6AF301046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q8>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AB049B11-607B-46C8-BBF7-F4D6AF301046\s*}?\s*(?P=q8)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13738 WEB-ACTIVEX HP eSupportDiagnostics 12 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|B|00|0|00|4|00|9|00|B|00|1|00|1|00|-|00|6|00|0|00|7|00|B|00|-|00|4|00|6|00|C|00|8|00|-|00|B|00|B|00|F|00|7|00|-|00|F|00|4|00|D|00|6|00|A|00|F|00|3|00|0|00|1|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q9>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00B\x000\x004\x009\x00B\x001\x001\x00-\x006\x000\x007\x00B\x00-\x004\x006\x00C\x008\x00-\x00B\x00B\x00F\x007\x00-\x00F\x004\x00D\x006\x00A\x00F\x003\x000\x001\x000\x004\x006\x00(}\x00)?(?P=q9)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13739 WEB-ACTIVEX HP eSupportDiagnostics 12 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AB237044-8A3B-42BB-9EE1-9BFA6721D9ED"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AB237044-8A3B-42BB-9EE1-9BFA6721D9ED\s*}?\s*(?P=q10)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13740 WEB-ACTIVEX HP eSupportDiagnostics 13 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|B|00|2|00|3|00|7|00|0|00|4|00|4|00|-|00|8|00|A|00|3|00|B|00|-|00|4|00|2|00|B|00|B|00|-|00|9|00|E|00|E|00|1|00|-|00|9|00|B|00|F|00|A|00|6|00|7|00|2|00|1|00|D|00|9|00|E|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q11>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00B\x002\x003\x007\x000\x004\x004\x00-\x008\x00A\x003\x00B\x00-\x004\x002\x00B\x00B\x00-\x009\x00E\x00E\x001\x00-\x009\x00B\x00F\x00A\x006\x007\x002\x001\x00D\x009\x00E\x00D\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13741 WEB-ACTIVEX HP eSupportDiagnostics 13 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B9C13CD0-5A97-4C6B-8A50-7638020E2462"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B9C13CD0-5A97-4C6B-8A50-7638020E2462\s*}?\s*(?P=q12)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13742 WEB-ACTIVEX HP eSupportDiagnostics 14 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|9|00|C|00|1|00|3|00|C|00|D|00|0|00|-|00|5|00|A|00|9|00|7|00|-|00|4|00|C|00|6|00|B|00|-|00|8|00|A|00|5|00|0|00|-|00|7|00|6|00|3|00|8|00|0|00|2|00|0|00|E|00|2|00|4|00|6|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q13>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x009\x00C\x001\x003\x00C\x00D\x000\x00-\x005\x00A\x009\x007\x00-\x004\x00C\x006\x00B\x00-\x008\x00A\x005\x000\x00-\x007\x006\x003\x008\x000\x002\x000\x00E\x002\x004\x006\x002\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13743 WEB-ACTIVEX HP eSupportDiagnostics 14 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BF931895-AF82-467A-8819-917C6EE2D1F3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BF931895-AF82-467A-8819-917C6EE2D1F3\s*}?\s*(?P=q14)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13744 WEB-ACTIVEX HP eSupportDiagnostics 15 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|F|00|9|00|3|00|1|00|8|00|9|00|5|00|-|00|A|00|F|00|8|00|2|00|-|00|4|00|6|00|7|00|A|00|-|00|8|00|8|00|1|00|9|00|-|00|9|00|1|00|7|00|C|00|6|00|E|00|E|00|2|00|D|00|1|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q15>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00F\x009\x003\x001\x008\x009\x005\x00-\x00A\x00F\x008\x002\x00-\x004\x006\x007\x00A\x00-\x008\x008\x001\x009\x00-\x009\x001\x007\x00C\x006\x00E\x00E\x002\x00D\x001\x00F\x003\x00(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13745 WEB-ACTIVEX HP eSupportDiagnostics 15 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C70D0641-DDE1-4FD7-A4D4-DA187B80741D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C70D0641-DDE1-4FD7-A4D4-DA187B80741D\s*}?\s*(?P=q16)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13746 WEB-ACTIVEX HP eSupportDiagnostics 16 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|7|00|0|00|D|00|0|00|6|00|4|00|1|00|-|00|D|00|D|00|E|00|1|00|-|00|4|00|F|00|D|00|7|00|-|00|A|00|4|00|D|00|4|00|-|00|D|00|A|00|1|00|8|00|7|00|B|00|8|00|0|00|7|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q17>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x007\x000\x00D\x000\x006\x004\x001\x00-\x00D\x00D\x00E\x001\x00-\x004\x00F\x00D\x007\x00-\x00A\x004\x00D\x004\x00-\x00D\x00A\x001\x008\x007\x00B\x008\x000\x007\x004\x001\x00D\x00(}\x00)?(?P=q17)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13747 WEB-ACTIVEX HP eSupportDiagnostics 16 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C94188F6-0F9F-46B3-8B78-D71907BD8B77"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q18>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C94188F6-0F9F-46B3-8B78-D71907BD8B77\s*}?\s*(?P=q18)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13748 WEB-ACTIVEX HP eSupportDiagnostics 17 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|9|00|4|00|1|00|8|00|8|00|F|00|6|00|-|00|0|00|F|00|9|00|F|00|-|00|4|00|6|00|B|00|3|00|-|00|8|00|B|00|7|00|8|00|-|00|D|00|7|00|1|00|9|00|0|00|7|00|B|00|D|00|8|00|B|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q19>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x009\x004\x001\x008\x008\x00F\x006\x00-\x000\x00F\x009\x00F\x00-\x004\x006\x00B\x003\x00-\x008\x00B\x007\x008\x00-\x00D\x007\x001\x009\x000\x007\x00B\x00D\x008\x00B\x007\x007\x00(}\x00)?(?P=q19)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13749 WEB-ACTIVEX HP eSupportDiagnostics 17 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CF6866F9-B67C-4B24-9957-F91E91E788DC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q20>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF6866F9-B67C-4B24-9957-F91E91E788DC\s*}?\s*(?P=q20)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13750 WEB-ACTIVEX HP eSupportDiagnostics 18 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|6|00|8|00|6|00|6|00|F|00|9|00|-|00|B|00|6|00|7|00|C|00|-|00|4|00|B|00|2|00|4|00|-|00|9|00|9|00|5|00|7|00|-|00|F|00|9|00|1|00|E|00|9|00|1|00|E|00|7|00|8|00|8|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q21>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x006\x008\x006\x006\x00F\x009\x00-\x00B\x006\x007\x00C\x00-\x004\x00B\x002\x004\x00-\x009\x009\x005\x007\x00-\x00F\x009\x001\x00E\x009\x001\x00E\x007\x008\x008\x00D\x00C\x00(}\x00)?(?P=q21)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13751 WEB-ACTIVEX HP eSupportDiagnostics 18 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772\s*}?\s*(?P=q22)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13752 WEB-ACTIVEX HP eSupportDiagnostics 19 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|C|00|4|00|F|00|9|00|D|00|A|00|0|00|-|00|D|00|B|00|0|00|5|00|-|00|4|00|B|00|B|00|0|00|-|00|8|00|F|00|B|00|2|00|-|00|0|00|3|00|A|00|8|00|0|00|F|00|E|00|9|00|8|00|7|00|7|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q23>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00C\x004\x00F\x009\x00D\x00A\x000\x00-\x00D\x00B\x000\x005\x00-\x004\x00B\x00B\x000\x00-\x008\x00F\x00B\x002\x00-\x000\x003\x00A\x008\x000\x00F\x00E\x009\x008\x007\x007\x002\x00(}\x00)?(?P=q23)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13753 WEB-ACTIVEX HP eSupportDiagnostics 19 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DE233AFF-8BD5-457E-B7F0-702DBEA5A828"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DE233AFF-8BD5-457E-B7F0-702DBEA5A828\s*}?\s*(?P=q27)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13754 WEB-ACTIVEX HP eSupportDiagnostics 20 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|E|00|2|00|3|00|3|00|A|00|F|00|F|00|-|00|8|00|B|00|D|00|5|00|-|00|4|00|5|00|7|00|E|00|-|00|B|00|7|00|F|00|0|00|-|00|7|00|0|00|2|00|D|00|B|00|E|00|A|00|5|00|A|00|8|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q28>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00E\x002\x003\x003\x00A\x00F\x00F\x00-\x008\x00B\x00D\x005\x00-\x004\x005\x007\x00E\x00-\x00B\x007\x00F\x000\x00-\x007\x000\x002\x00D\x00B\x00E\x00A\x005\x00A\x008\x002\x008\x00(}\x00)?(?P=q28)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13755 WEB-ACTIVEX HP eSupportDiagnostics 20 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q29>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0\s*}?\s*(?P=q29)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13756 WEB-ACTIVEX HP eSupportDiagnostics 21 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 28929 attempted-user 2008-0712 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|1|00|2|00|D|00|A|00|4|00|F|00|2|00|-|00|B|00|D|00|F|00|B|00|-|00|4|00|E|00|A|00|D|00|-|00|B|00|1|00|2|00|F|00|-|00|2|00|7|00|2|00|5|00|2|00|5|00|1|00|F|00|A|00|6|00|B|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q30>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x001\x002\x00D\x00A\x004\x00F\x002\x00-\x00B\x00D\x00F\x00B\x00-\x004\x00E\x00A\x00D\x00-\x00B\x001\x002\x00F\x00-\x002\x007\x002\x005\x002\x005\x001\x00F\x00A\x006\x00B\x000\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13757 WEB-ACTIVEX HP eSupportDiagnostics 21 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 28882 attempted-user 2007-6255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E5D419D6-A846-4514-9FAD-97E826C84822"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E5D419D6-A846-4514-9FAD-97E826C84822\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13758 WEB-ACTIVEX Microsoft HeartbeatCtl ActiveX clsid access 28882 attempted-user 2007-6255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|5|00|D|00|4|00|1|00|9|00|D|00|6|00|-|00|A|00|8|00|4|00|6|00|-|00|4|00|5|00|1|00|4|00|-|00|9|00|F|00|A|00|D|00|-|00|9|00|7|00|E|00|8|00|2|00|6|00|C|00|8|00|4|00|8|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13759 WEB-ACTIVEX Microsoft HeartbeatCtl ActiveX clsid unicode access 28882 attempted-user 2007-6255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HeartbeatCtl.HeartbeatCt"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22HeartbeatCtl\.HeartbeatCt\x22|\x27HeartbeatCtl\.HeartbeatCt\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HeartbeatCtl\.HeartbeatCt\x22|\x27HeartbeatCtl\.HeartbeatCt\x27)\s*\)/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13760 WEB-ACTIVEX Microsoft HeartbeatCtl ActiveX function call access 28882 attempted-user 2007-6255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"H|00|e|00|a|00|r|00|t|00|b|00|e|00|a|00|t|00|C|00|t|00|l|00|.|00|H|00|e|00|a|00|r|00|t|00|b|00|e|00|a|00|t|00|C|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00l\x00.\x00H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00l\x00.\x00H\x00e\x00a\x00r\x00t\x00b\x00e\x00a\x00t\x00C\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13761 WEB-ACTIVEX Microsoft HeartbeatCtl ActiveX function call unicode access 29065 attempted-user 2008-2111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2283BB66-A15D-4AC8-BA72-9C8C9F5A1691"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2283BB66-A15D-4AC8-BA72-9C8C9F5A1691\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13783 WEB-ACTIVEX Yahoo Assistant ActiveX clsid access 29065 attempted-user 2008-2111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|8|00|3|00|B|00|B|00|6|00|6|00|-|00|A|00|1|00|5|00|D|00|-|00|4|00|A|00|C|00|8|00|-|00|B|00|A|00|7|00|2|00|-|00|9|00|C|00|8|00|C|00|9|00|F|00|5|00|A|00|1|00|6|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13784 WEB-ACTIVEX Yahoo Assistant ActiveX clsid unicode access 27626 attempted-user 2008-0647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"61F5C358-60FB-4A23-A312-D2B556620F20"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(hgs_startGame|hgs_startNotify)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*61F5C358-60FB-4A23-A312-D2B556620F20\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(hgs_startGame|hgs_startNotify))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13785 WEB-ACTIVEX Ourgame GLWorld ActiveX clsid access 27626 attempted-user 2008-0647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|1|00|F|00|5|00|C|00|3|00|5|00|8|00|-|00|6|00|0|00|F|00|B|00|-|00|4|00|A|00|2|00|3|00|-|00|A|00|3|00|1|00|2|00|-|00|D|00|2|00|B|00|5|00|5|00|6|00|6|00|2|00|0|00|F|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13786 WEB-ACTIVEX Ourgame GLWorld ActiveX clsid unicode access 27626 attempted-user 2008-0647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HanGamePluginCn18.HanGamePluginCn18"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22HanGamePluginCn18\.HanGamePluginCn18\x22|\x27HanGamePluginCn18\.HanGamePluginCn18\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(hgs_startGame|hgs_startNotify)\s*|.*(?P=v)\s*\.\s*(hgs_startGame|hgs_startNotify)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HanGamePluginCn18\.HanGamePluginCn18\x22|\x27HanGamePluginCn18\.HanGamePluginCn18\x27)\s*\)(\s*\.\s*(hgs_startGame|hgs_startNotify)\s*|.*(?P=n)\s*\.\s*(hgs_startGame|hgs_startNotify)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13787 WEB-ACTIVEX Ourgame GLWorld ActiveX function call access 27626 attempted-user 2008-0647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"H|00|a|00|n|00|G|00|a|00|m|00|e|00|P|00|l|00|u|00|g|00|i|00|n|00|C|00|n|00|1|00|8|00|.|00|H|00|a|00|n|00|G|00|a|00|m|00|e|00|P|00|l|00|u|00|g|00|i|00|n|00|C|00|n|00|1|00|8|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00.\x00H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00.\x00H\x00a\x00n\x00G\x00a\x00m\x00e\x00P\x00l\x00u\x00g\x00i\x00n\x00C\x00n\x001\x008\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13788 WEB-ACTIVEX Ourgame GLWorld ActiveX function call unicode access attempted-dos 2008-1437 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-dos; flowbits:isset,download.pecompact.binary; metadata: engine shared, soid 3|13798, service http, policy security-ips drop; 13798 WEB-CLIENT Microsoft malware protection engine denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-029.mspx attempted-dos 2008-1438 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13802, service http, policy security-ips drop; 13802 WEB-CLIENT Microsoft malware protection engine denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-029.mspx attempted-dos 2008-1441 ip $EXTERNAL_NET any -> 224.0.0.0/4 any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13825, policy security-ips drop; 13825 DOS Microsoft PGM fragment denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-036.mspx attempted-dos 2008-1440 ip $EXTERNAL_NET any -> 224.0.0.0/4 any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13827, policy balanced-ips drop, policy security-ips drop; 13827 DOS Microsoft PGM denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-036.mspx 29536 attempted-user 2008-0953 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"14C1B87C-3342-445F-9B5E-365FF330A3AC"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*14C1B87C-3342-445F-9B5E-365FF330A3AC\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*14C1B87C-3342-445F-9B5E-365FF330A3AC\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13857 WEB-ACTIVEX HP Instant Support DataManager ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 29536 attempted-user 2008-0953 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|4|00|C|00|1|00|B|00|8|00|7|00|C|00|-|00|3|00|3|00|4|00|2|00|-|00|4|00|4|00|5|00|F|00|-|00|9|00|B|00|5|00|E|00|-|00|3|00|6|00|5|00|F|00|F|00|3|00|3|00|0|00|A|00|3|00|A|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x004\x00C\x001\x00B\x008\x007\x00C\x00-\x003\x003\x004\x002\x00-\x004\x004\x005\x00F\x00-\x009\x00B\x005\x00E\x00-\x003\x006\x005\x00F\x00F\x003\x003\x000\x00A\x003\x00A\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13858 WEB-ACTIVEX HP Instant Support DataManager ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 29536 attempted-user 2008-0953 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HPISDataManagerLib.Datamgr"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22HPISDataManagerLib\.Datamgr\x22|\x27HPISDataManagerLib\.Datamgr\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*|.*(?P=v)\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HPISDataManagerLib\.Datamgr\x22|\x27HPISDataManagerLib\.Datamgr\x27)\s*\)(\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*|.*(?P=n)\s*\.\s*(DownloadFile|GetFileTime|MoveFile|StartApp|RegistryString|AppendStringToFile|DeleteStringFile)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13859 WEB-ACTIVEX HP Instant Support DataManager ActiveX function call access www.microsoft.com/technet/security/advisory/953839.mspx 29536 attempted-user 2008-0953 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"H|00|P|00|I|00|S|00|D|00|a|00|t|00|a|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|L|00|i|00|b|00|.|00|D|00|a|00|t|00|a|00|m|00|g|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)H\x00P\x00I\x00S\x00D\x00a\x00t\x00a\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00L\x00i\x00b\x00.\x00D\x00a\x00t\x00a\x00m\x00g\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)H\x00P\x00I\x00S\x00D\x00a\x00t\x00a\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00L\x00i\x00b\x00.\x00D\x00a\x00t\x00a\x00m\x00g\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13860 WEB-ACTIVEX HP Instant Support DataManager ActiveX function call unicode access www.microsoft.com/technet/security/advisory/953839.mspx 29963 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2CACD7BB-1C59-4BBB-8E81-6E83F82C813B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CACD7BB-1C59-4BBB-8E81-6E83F82C813B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Update)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2CACD7BB-1C59-4BBB-8E81-6E83F82C813B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Update))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13883 WEB-ACTIVEX UUSee UUUpgrade ActiveX clsid access 29963 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|C|00|A|00|C|00|D|00|7|00|B|00|B|00|-|00|1|00|C|00|5|00|9|00|-|00|4|00|B|00|B|00|B|00|-|00|8|00|E|00|8|00|1|00|-|00|6|00|E|00|8|00|3|00|F|00|8|00|2|00|C|00|8|00|1|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13884 WEB-ACTIVEX UUSee UUUpgrade ActiveX clsid unicode access 29963 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"UUUPGRADE.UUUpgradeCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22UUUPGRADE\.UUUpgradeCtrl\.1\x22|\x27UUUPGRADE\.UUUpgradeCtrl\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Update\s*|.*(?P=v)\s*\.\s*Update\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22UUUPGRADE\.UUUpgradeCtrl\.1\x22|\x27UUUPGRADE\.UUUpgradeCtrl\.1\x27)\s*\)(\s*\.\s*Update\s*|.*(?P=n)\s*\.\s*Update\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13885 WEB-ACTIVEX UUSee UUUpgrade ActiveX function call access 29963 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"U|00|U|00|U|00|P|00|G|00|R|00|A|00|D|00|E|00|.|00|U|00|U|00|U|00|p|00|g|00|r|00|a|00|d|00|e|00|C|00|t|00|r|00|l|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)U\x00U\x00U\x00P\x00G\x00R\x00A\x00D\x00E\x00.\x00U\x00U\x00U\x00p\x00g\x00r\x00a\x00d\x00e\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)U\x00U\x00U\x00P\x00G\x00R\x00A\x00D\x00E\x00.\x00U\x00U\x00U\x00p\x00g\x00r\x00a\x00d\x00e\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13886 WEB-ACTIVEX UUSee UUUpgrade ActiveX function call unicode access attempted-admin 2008-1435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,http.search-ms; metadata: engine shared, soid 3|13893, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 13893 WEB-CLIENT Microsoft malformed saved search heap corruption attempt www.microsoft.com/technet/security/bulletin/MS08-038.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F0E42D50-368C-11D0-AD81-00A0C90DC8D9\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SnapshotPath|CompressedPath)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F0E42D50-368C-11D0-AD81-00A0C90DC8D9\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13903 WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|0|00|E|00|4|00|2|00|D|00|5|00|0|00|-|00|3|00|6|00|8|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|8|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13904 WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"snpvw.Snapshot Viewer Control"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22snpvw\.Snapshot\s*Viewer\s*Control(\.\d)?\x22|\x27snpvw\.Snapshot\s*Viewer\s*Control(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=v)\s*\.\s*(SnapshotPath|CompressedPath)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22snpvw\.Snapshot\s*Viewer\s*Control(\.\d)?\x22|\x27snpvw\.Snapshot\s*Viewer\s*Control(\.\d)?\x27)\s*\)(\s*\.\s*(SnapshotPath|CompressedPath)\s*|.*(?P=n)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13905 WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX function call access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"s|00|n|00|p|00|v|00|w|00|.|00|S|00|n|00|a|00|p|00|s|00|h|00|o|00|t|00| |00|V|00|i|00|e|00|w|00|e|00|r|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)s\x00n\x00p\x00v\x00w\x00.\x00S\x00n\x00a\x00p\x00s\x00h\x00o\x00t\x00(\s\x00)*V\x00i\x00e\x00w\x00e\x00r\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)s\x00n\x00p\x00v\x00w\x00.\x00S\x00n\x00a\x00p\x00s\x00h\x00o\x00t\x00(\s\x00)*V\x00i\x00e\x00w\x00e\x00r\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13906 WEB-ACTIVEX Microsoft Access Snapshot Viewer 1 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F0E42D60-368C-11D0-AD81-00A0C90DC8D9\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SnapshotPath|CompressedPath)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F0E42D60-368C-11D0-AD81-00A0C90DC8D9\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13907 WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|0|00|E|00|4|00|2|00|D|00|6|00|0|00|-|00|3|00|6|00|8|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|8|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13908 WEB-ACTIVEX Microsoft Access Snapshot Viewer 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms08-041.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".search-ms"; nocase; http_uri; flowbits:set,http.search-ms; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 13911 WEB-CLIENT Microsoft search file download attempt 21155 attempted-user 2006-6236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AcroPDF.PDF"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22AcroPDF\.PDF(\.\d)?\x22|\x27AcroPDF\.PDF(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)\s*|.*(?P=v)\s*\.\s*(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AcroPDF\.PDF(\.\d)?\x22|\x27AcroPDF\.PDF(\.\d)?\x27)\s*\)(\s*\.\s*(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)\s*|.*(?P=n)\s*\.\s*(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13913 WEB-ACTIVEX AcroPDF.PDF ActiveX function call access www.adobe.com/support/security/advisories/apsa06-02.html 21155 attempted-user 2006-6236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|c|00|r|00|o|00|P|00|D|00|F|00|.|00|P|00|D|00|F|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00c\x00r\x00o\x00P\x00D\x00F\x00.\x00P\x00D\x00F\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00c\x00r\x00o\x00P\x00D\x00F\x00.\x00P\x00D\x00F\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13914 WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access www.adobe.com/support/security/advisories/apsa06-02.html attempted-user 2008-0082 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13965, service http, policy security-ips alert; 13965 WEB-ACTIVEX Microsoft Message System ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-050.mspx attempted-user 2008-0082 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13967, service http, policy security-ips alert; 13967 WEB-ACTIVEX Microsoft Message System ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-050.mspx attempted-user 2008-1455 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|13971, service http, policy balanced-ips drop, policy security-ips drop; 13971 WEB-CLIENT Microsoft Powerpoint TxMasterStyle10Atom atom numLevels buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms08-051.mspx attempted-user 2008-1457 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13975, service http, policy balanced-ips drop, policy security-ips alert; 13975 WEB-CLIENT Microsoft Windows Event System ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-049.mspx attempted-user 2008-1457 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13977, service http, policy balanced-ips drop, policy security-ips alert; 13977 WEB-CLIENT Microsoft Windows Event System ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-049.mspx attempted-user 2008-1457 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13979, service http, policy security-ips alert; 13979 WEB-CLIENT Microsoft Windows Event System Subscription VBScript access www.microsoft.com/technet/security/bulletin/MS08-049.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".ppt"; nocase; http_uri; flowbits:set,ppt.download; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 13982 WEB-CLIENT Microsoft Powerpoint file download attempt 30578 attempted-user 2008-3558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*32E26FD9-F435-4A20-A561-35D4B987CFDC\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(NewObject)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*32E26FD9-F435-4A20-A561-35D4B987CFDC\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(NewObject))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14013 WEB-ACTIVEX WebEx Meeting Manager atucfobj ActiveX clsid access www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml 30578 attempted-user 2008-3558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|2|00|E|00|2|00|6|00|F|00|D|00|9|00|-|00|F|00|4|00|3|00|5|00|-|00|4|00|A|00|2|00|0|00|-|00|A|00|5|00|6|00|1|00|-|00|3|00|5|00|D|00|4|00|B|00|9|00|8|00|7|00|C|00|F|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x002\x00E\x002\x006\x00F\x00D\x009\x00-\x00F\x004\x003\x005\x00-\x004\x00A\x002\x000\x00-\x00A\x005\x006\x001\x00-\x003\x005\x00D\x004\x00B\x009\x008\x007\x00C\x00F\x00D\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14014 WEB-ACTIVEX WebEx Meeting Manager atucfobj ActiveX clsid unicode access www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml 30578 attempted-user 2008-3558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WebexUCFObject.WebexUCFObject"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22WebexUCFObject\.WebexUCFObject\x22|\x27WebexUCFObject\.WebexUCFObject\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*NewObject\s*|.*(?P=v)\s*\.\s*NewObject\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WebexUCFObject\.WebexUCFObject\x22|\x27WebexUCFObject\.WebexUCFObject\x27)\s*\)(\s*\.\s*NewObject\s*|.*(?P=n)\s*\.\s*NewObject\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14015 WEB-ACTIVEX WebEx Meeting Manager atucfobj ActiveX function call access www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml 30578 attempted-user 2008-3558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"W|00|e|00|b|00|e|00|x|00|U|00|C|00|F|00|O|00|b|00|j|00|e|00|c|00|t|00|.|00|W|00|e|00|b|00|e|00|x|00|U|00|C|00|F|00|O|00|b|00|j|00|e|00|c|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00.\x00W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00.\x00W\x00e\x00b\x00e\x00x\x00U\x00C\x00F\x00O\x00b\x00j\x00e\x00c\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14016 WEB-ACTIVEX WebEx Meeting Manager atucfobj ActiveX function call unicode access www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml 30674 attempted-user 2008-3704 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C932BA85-4374-101B-A56C-00AA003668DC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C932BA85-4374-101B-A56C-00AA003668DC\s*}?\s*(?P=q13)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14021 WEB-ACTIVEX Microsoft Visual Studio Msmask32 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx 30674 attempted-user 2008-3704 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|9|00|3|00|2|00|B|00|A|00|8|00|5|00|-|00|4|00|3|00|7|00|4|00|-|00|1|00|0|00|1|00|B|00|-|00|A|00|5|00|6|00|C|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|3|00|6|00|6|00|8|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q14>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x009\x003\x002\x00B\x00A\x008\x005\x00-\x004\x003\x007\x004\x00-\x001\x000\x001\x00B\x00-\x00A\x005\x006\x00C\x00-\x000\x000\x00A\x00A\x000\x000\x003\x006\x006\x008\x00D\x00C\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14022 WEB-ACTIVEX Microsoft Visual Studio Msmask32 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx 30674 attempted-user 2008-3704 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MSMask.MaskEdBox"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSMask\.MaskEdBox(\.\d)?\x22|\x27MSMask\.MaskEdBox(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSMask\.MaskEdBox(\.\d)?\x22|\x27MSMask\.MaskEdBox(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14023 WEB-ACTIVEX Microsoft Visual Studio Msmask32 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx 30674 attempted-user 2008-3704 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|S|00|M|00|a|00|s|00|k|00|.|00|M|00|a|00|s|00|k|00|E|00|d|00|B|00|o|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q15>\x22|\x27|)M\x00S\x00M\x00a\x00s\x00k\x00.\x00M\x00a\x00s\x00k\x00E\x00d\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q16>\x22|\x27|)M\x00S\x00M\x00a\x00s\x00k\x00.\x00M\x00a\x00s\x00k\x00E\x00d\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q16)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14024 WEB-ACTIVEX Microsoft Visual Studio Msmask32 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E6239EB3-E0B0-46DA-A215-CFA9B3B740C5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetColumnLabel)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetColumnLabel))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14025 WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX clsid access attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|6|00|2|00|3|00|9|00|E|00|B|00|3|00|-|00|E|00|0|00|B|00|0|00|-|00|4|00|6|00|D|00|A|00|-|00|A|00|2|00|1|00|5|00|-|00|C|00|F|00|A|00|9|00|B|00|3|00|B|00|7|00|4|00|0|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x002\x003\x009\x00E\x00B\x003\x00-\x00E\x000\x00B\x000\x00-\x004\x006\x00D\x00A\x00-\x00A\x002\x001\x005\x00-\x00C\x00F\x00A\x009\x00B\x003\x00B\x007\x004\x000\x00C\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14026 WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX clsid unicode access 28809 attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CommonActiveX.ITRMLegendsCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CommonActiveX\.ITRMLegendsCtrl\x22|\x27CommonActiveX\.ITRMLegendsCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetColumnColor|SetColumnLabel)\s*|.*(?P=v)\s*\.\s*(SetColumnColor|SetColumnLabel)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CommonActiveX\.ITRMLegendsCtrl\x22|\x27CommonActiveX\.ITRMLegendsCtrl\x27)\s*\)(\s*\.\s*(SetColumnColor|SetColumnLabel)\s*|.*(?P=n)\s*\.\s*(SetColumnColor|SetColumnLabel)\s*)\s*\(/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14027 WEB-ACTIVEX CA DSM gui_cm_ctrls ActiveX function call access 28809 attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|o|00|m|00|m|00|o|00|n|00|A|00|c|00|t|00|i|00|v|00|e|00|X|00|.|00|I|00|T|00|R|00|M|00|L|00|e|00|g|00|e|00|n|00|d|00|s|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14028 WEB-ACTIVEX CA DSM gui_cm_ctrls ActiveX function call unicode access attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E6239EB3-E0B0-46DA-A215-CFA9B3B740C5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetColumnColor)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6239EB3-E0B0-46DA-A215-CFA9B3B740C5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetColumnColor))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14029 WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX clsid access attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|6|00|2|00|3|00|9|00|E|00|B|00|3|00|-|00|E|00|0|00|B|00|0|00|-|00|4|00|6|00|D|00|A|00|-|00|A|00|2|00|1|00|5|00|-|00|C|00|F|00|A|00|9|00|B|00|3|00|B|00|7|00|4|00|0|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x002\x003\x009\x00E\x00B\x003\x00-\x00E\x000\x00B\x000\x00-\x004\x006\x00D\x00A\x00-\x00A\x002\x001\x005\x00-\x00C\x00F\x00A\x009\x00B\x003\x00B\x007\x004\x000\x00C\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14030 WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX clsid unicode access attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CommonActiveX.ITRMLegendsCtrl.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CommonActiveX\.ITRMLegendsCtrl\.1\x22|\x27CommonActiveX\.ITRMLegendsCtrl\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetColumnColor\s*|.*(?P=v)\s*\.\s*SetColumnColor\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CommonActiveX\.ITRMLegendsCtrl\.1\x22|\x27CommonActiveX\.ITRMLegendsCtrl\.1\x27)\s*\)(\s*\.\s*SetColumnColor\s*|.*(?P=n)\s*\.\s*SetColumnColor\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14031 WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX function call access attempted-user 2008-1786 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|o|00|m|00|m|00|o|00|n|00|A|00|c|00|t|00|i|00|v|00|e|00|X|00|.|00|I|00|T|00|R|00|M|00|L|00|e|00|g|00|e|00|n|00|d|00|s|00|C|00|t|00|r|00|l|00|.|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)C\x00o\x00m\x00m\x00o\x00n\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00.\x00I\x00T\x00R\x00M\x00L\x00e\x00g\x00e\x00n\x00d\x00s\x00C\x00t\x00r\x00l\x00.\x001\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14032 WEB-ACTIVEX Computer Associates gui_cm_ctrls ActiveX function call unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B60770C2-0390-41A8-A8DE-61889888D840"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B60770C2-0390-41A8-A8DE-61889888D840\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14088 WEB-ACTIVEX Aurigma unspecified 1 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|6|00|0|00|7|00|7|00|0|00|C|00|2|00|-|00|0|00|3|00|9|00|0|00|-|00|4|00|1|00|A|00|8|00|-|00|A|00|8|00|D|00|E|00|-|00|6|00|1|00|8|00|8|00|9|00|8|00|8|00|8|00|D|00|8|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x006\x000\x007\x007\x000\x00C\x002\x00-\x000\x003\x009\x000\x00-\x004\x001\x00A\x008\x00-\x00A\x008\x00D\x00E\x00-\x006\x001\x008\x008\x009\x008\x008\x008\x00D\x008\x004\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14089 WEB-ACTIVEX Aurigma unspecified 1 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9\s*}?\s*(?P=q23)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14090 WEB-ACTIVEX Aurigma unspecified 2 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|A|00|6|00|A|00|9|00|C|00|A|00|-|00|A|00|C|00|5|00|B|00|-|00|4|00|C|00|3|00|9|00|-|00|8|00|F|00|E|00|6|00|-|00|1|00|7|00|E|00|7|00|D|00|0|00|6|00|9|00|0|00|3|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q24>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x00A\x006\x00A\x009\x00C\x00A\x00-\x00A\x00C\x005\x00B\x00-\x004\x00C\x003\x009\x00-\x008\x00F\x00E\x006\x00-\x001\x007\x00E\x007\x00D\x000\x006\x009\x000\x003\x00A\x009\x00(}\x00)?(?P=q24)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14091 WEB-ACTIVEX Aurigma unspecified 2 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"76EE578D-314B-4755-8365-6E1722C001A2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q45>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*76EE578D-314B-4755-8365-6E1722C001A2\s*}?\s*(?P=q45)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14092 WEB-ACTIVEX Aurigma unspecified 3 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|6|00|E|00|E|00|5|00|7|00|8|00|D|00|-|00|3|00|1|00|4|00|B|00|-|00|4|00|7|00|5|00|5|00|-|00|8|00|3|00|6|00|5|00|-|00|6|00|E|00|1|00|7|00|2|00|2|00|C|00|0|00|0|00|1|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q46>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x006\x00E\x00E\x005\x007\x008\x00D\x00-\x003\x001\x004\x00B\x00-\x004\x007\x005\x005\x00-\x008\x003\x006\x005\x00-\x006\x00E\x001\x007\x002\x002\x00C\x000\x000\x001\x00A\x002\x00(}\x00)?(?P=q46)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14093 WEB-ACTIVEX Aurigma unspecified 3 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F89EF74A-956B-4BD3-A066-4F23DF891982"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q67>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F89EF74A-956B-4BD3-A066-4F23DF891982\s*}?\s*(?P=q67)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14094 WEB-ACTIVEX Aurigma unspecified 4 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|8|00|9|00|E|00|F|00|7|00|4|00|A|00|-|00|9|00|5|00|6|00|B|00|-|00|4|00|B|00|D|00|3|00|-|00|A|00|0|00|6|00|6|00|-|00|4|00|F|00|2|00|3|00|D|00|F|00|8|00|9|00|1|00|9|00|8|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q68>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x008\x009\x00E\x00F\x007\x004\x00A\x00-\x009\x005\x006\x00B\x00-\x004\x00B\x00D\x003\x00-\x00A\x000\x006\x006\x00-\x004\x00F\x002\x003\x00D\x00F\x008\x009\x001\x009\x008\x002\x00(}\x00)?(?P=q68)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14095 WEB-ACTIVEX Aurigma unspecified 4 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"101D2283-EED9-4BA2-8F3F-23DB860946EB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q89>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*101D2283-EED9-4BA2-8F3F-23DB860946EB\s*}?\s*(?P=q89)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14096 WEB-ACTIVEX Aurigma unspecified 5 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|0|00|1|00|D|00|2|00|2|00|8|00|3|00|-|00|E|00|E|00|D|00|9|00|-|00|4|00|B|00|A|00|2|00|-|00|8|00|F|00|3|00|F|00|-|00|2|00|3|00|D|00|B|00|8|00|6|00|0|00|9|00|4|00|6|00|E|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q90>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x000\x001\x00D\x002\x002\x008\x003\x00-\x00E\x00E\x00D\x009\x00-\x004\x00B\x00A\x002\x00-\x008\x00F\x003\x00F\x00-\x002\x003\x00D\x00B\x008\x006\x000\x009\x004\x006\x00E\x00B\x00(}\x00)?(?P=q90)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14097 WEB-ACTIVEX Aurigma unspecified 5 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"69C462E1-CD41-49E3-9EC2-D305155718C1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q111>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*69C462E1-CD41-49E3-9EC2-D305155718C1\s*}?\s*(?P=q111)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14098 WEB-ACTIVEX Aurigma unspecified 6 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|9|00|C|00|4|00|6|00|2|00|E|00|1|00|-|00|C|00|D|00|4|00|1|00|-|00|4|00|9|00|E|00|3|00|-|00|9|00|E|00|C|00|2|00|-|00|D|00|3|00|0|00|5|00|1|00|5|00|5|00|7|00|1|00|8|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q112>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x009\x00C\x004\x006\x002\x00E\x001\x00-\x00C\x00D\x004\x001\x00-\x004\x009\x00E\x003\x00-\x009\x00E\x00C\x002\x00-\x00D\x003\x000\x005\x001\x005\x005\x007\x001\x008\x00C\x001\x00(}\x00)?(?P=q112)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14099 WEB-ACTIVEX Aurigma unspecified 6 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q133>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA\s*}?\s*(?P=q133)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14100 WEB-ACTIVEX Aurigma unspecified 7 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|4|00|7|00|3|00|C|00|F|00|B|00|-|00|6|00|6|00|B|00|6|00|-|00|4|00|5|00|B|00|8|00|-|00|8|00|F|00|B|00|3|00|-|00|2|00|B|00|C|00|9|00|C|00|1|00|F|00|D|00|8|00|7|00|B|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q134>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x004\x007\x003\x00C\x00F\x00B\x00-\x006\x006\x00B\x006\x00-\x004\x005\x00B\x008\x00-\x008\x00F\x00B\x003\x00-\x002\x00B\x00C\x009\x00C\x001\x00F\x00D\x008\x007\x00B\x00A\x00(}\x00)?(?P=q134)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14101 WEB-ACTIVEX Aurigma unspecified 7 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"108092BF-B7DB-40D1-B7FB-F55922FCC9BE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q139>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*108092BF-B7DB-40D1-B7FB-F55922FCC9BE\s*}?\s*(?P=q139)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14102 WEB-ACTIVEX Aurigma unspecified 8 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|0|00|8|00|0|00|9|00|2|00|B|00|F|00|-|00|B|00|7|00|D|00|B|00|-|00|4|00|0|00|D|00|1|00|-|00|B|00|7|00|F|00|B|00|-|00|F|00|5|00|5|00|9|00|2|00|2|00|F|00|C|00|C|00|9|00|B|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q140>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x000\x008\x000\x009\x002\x00B\x00F\x00-\x00B\x007\x00D\x00B\x00-\x004\x000\x00D\x001\x00-\x00B\x007\x00F\x00B\x00-\x00F\x005\x005\x009\x002\x002\x00F\x00C\x00C\x009\x00B\x00E\x00(}\x00)?(?P=q140)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14103 WEB-ACTIVEX Aurigma unspecified 8 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CF08D263-B832-42DB-8950-F40C9E672E27"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q141>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF08D263-B832-42DB-8950-F40C9E672E27\s*}?\s*(?P=q141)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14104 WEB-ACTIVEX Aurigma unspecified 9 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|0|00|8|00|D|00|2|00|6|00|3|00|-|00|B|00|8|00|3|00|2|00|-|00|4|00|2|00|D|00|B|00|-|00|8|00|9|00|5|00|0|00|-|00|F|00|4|00|0|00|C|00|9|00|E|00|6|00|7|00|2|00|E|00|2|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q142>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x000\x008\x00D\x002\x006\x003\x00-\x00B\x008\x003\x002\x00-\x004\x002\x00D\x00B\x00-\x008\x009\x005\x000\x00-\x00F\x004\x000\x00C\x009\x00E\x006\x007\x002\x00E\x002\x007\x00(}\x00)?(?P=q142)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14105 WEB-ACTIVEX Aurigma unspecified 9 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F1F51698-7B63-4394-8743-1F4CF1853DE1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F1F51698-7B63-4394-8743-1F4CF1853DE1\s*}?\s*(?P=q3)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14106 WEB-ACTIVEX Aurigma unspecified 10 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|1|00|F|00|5|00|1|00|6|00|9|00|8|00|-|00|7|00|B|00|6|00|3|00|-|00|4|00|3|00|9|00|4|00|-|00|8|00|7|00|4|00|3|00|-|00|1|00|F|00|4|00|C|00|F|00|1|00|8|00|5|00|3|00|D|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q4>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x001\x00F\x005\x001\x006\x009\x008\x00-\x007\x00B\x006\x003\x00-\x004\x003\x009\x004\x00-\x008\x007\x004\x003\x00-\x001\x00F\x004\x00C\x00F\x001\x008\x005\x003\x00D\x00E\x001\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14107 WEB-ACTIVEX Aurigma unspecified 10 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"905BF7D7-6BC1-445A-BE53-9478AC096BEB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*905BF7D7-6BC1-445A-BE53-9478AC096BEB\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14108 WEB-ACTIVEX Aurigma unspecified 11 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|0|00|5|00|B|00|F|00|7|00|D|00|7|00|-|00|6|00|B|00|C|00|1|00|-|00|4|00|4|00|5|00|A|00|-|00|B|00|E|00|5|00|3|00|-|00|9|00|4|00|7|00|8|00|A|00|C|00|0|00|9|00|6|00|B|00|E|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x000\x005\x00B\x00F\x007\x00D\x007\x00-\x006\x00B\x00C\x001\x00-\x004\x004\x005\x00A\x00-\x00B\x00E\x005\x003\x00-\x009\x004\x007\x008\x00A\x00C\x000\x009\x006\x00B\x00E\x00B\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14109 WEB-ACTIVEX Aurigma unspecified 11 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"916063A5-0098-4FB7-8717-1B2C62DD4E45"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*916063A5-0098-4FB7-8717-1B2C62DD4E45\s*}?\s*(?P=q7)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14110 WEB-ACTIVEX Aurigma unspecified 12 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|1|00|6|00|0|00|6|00|3|00|A|00|5|00|-|00|0|00|0|00|9|00|8|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|7|00|1|00|7|00|-|00|1|00|B|00|2|00|C|00|6|00|2|00|D|00|D|00|4|00|E|00|4|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x006\x000\x006\x003\x00A\x005\x00-\x000\x000\x009\x008\x00-\x004\x00F\x00B\x007\x00-\x008\x007\x001\x007\x00-\x001\x00B\x002\x00C\x006\x002\x00D\x00D\x004\x00E\x004\x005\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14111 WEB-ACTIVEX Aurigma unspecified 12 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4\s*}?\s*(?P=q9)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14112 WEB-ACTIVEX Aurigma unspecified 13 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|E|00|2|00|B|00|9|00|3|00|7|00|E|00|-|00|E|00|A|00|7|00|D|00|-|00|4|00|A|00|8|00|D|00|-|00|8|00|8|00|8|00|C|00|-|00|B|00|6|00|8|00|D|00|7|00|F|00|7|00|2|00|A|00|3|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00E\x002\x00B\x009\x003\x007\x00E\x00-\x00E\x00A\x007\x00D\x00-\x004\x00A\x008\x00D\x00-\x008\x008\x008\x00C\x00-\x00B\x006\x008\x00D\x007\x00F\x007\x002\x00A\x003\x00C\x004\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14113 WEB-ACTIVEX Aurigma unspecified 13 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AE6C4705-0F11-4ACB-BDD4-37F138BEF289"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE6C4705-0F11-4ACB-BDD4-37F138BEF289\s*}?\s*(?P=q11)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14114 WEB-ACTIVEX Aurigma unspecified 14 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|E|00|6|00|C|00|4|00|7|00|0|00|5|00|-|00|0|00|F|00|1|00|1|00|-|00|4|00|A|00|C|00|B|00|-|00|B|00|D|00|D|00|4|00|-|00|3|00|7|00|F|00|1|00|3|00|8|00|B|00|E|00|F|00|2|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q12>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00E\x006\x00C\x004\x007\x000\x005\x00-\x000\x00F\x001\x001\x00-\x004\x00A\x00C\x00B\x00-\x00B\x00D\x00D\x004\x00-\x003\x007\x00F\x001\x003\x008\x00B\x00E\x00F\x002\x008\x009\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14115 WEB-ACTIVEX Aurigma unspecified 14 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FA8932FF-E064-4378-901C-69CB94E3A20A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA8932FF-E064-4378-901C-69CB94E3A20A\s*}?\s*(?P=q13)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14116 WEB-ACTIVEX Aurigma unspecified 15 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|A|00|8|00|9|00|3|00|2|00|F|00|F|00|-|00|E|00|0|00|6|00|4|00|-|00|4|00|3|00|7|00|8|00|-|00|9|00|0|00|1|00|C|00|-|00|6|00|9|00|C|00|B|00|9|00|4|00|E|00|3|00|A|00|2|00|0|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q14>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x008\x009\x003\x002\x00F\x00F\x00-\x00E\x000\x006\x004\x00-\x004\x003\x007\x008\x00-\x009\x000\x001\x00C\x00-\x006\x009\x00C\x00B\x009\x004\x00E\x003\x00A\x002\x000\x00A\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14117 WEB-ACTIVEX Aurigma unspecified 15 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3604EC19-E009-4DCB-ABC5-BB95BF92FD8B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3604EC19-E009-4DCB-ABC5-BB95BF92FD8B\s*}?\s*(?P=q15)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14118 WEB-ACTIVEX Aurigma unspecified 16 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|6|00|0|00|4|00|E|00|C|00|1|00|9|00|-|00|E|00|0|00|0|00|9|00|-|00|4|00|D|00|C|00|B|00|-|00|A|00|B|00|C|00|5|00|-|00|B|00|B|00|9|00|5|00|B|00|F|00|9|00|2|00|F|00|D|00|8|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q16>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x006\x000\x004\x00E\x00C\x001\x009\x00-\x00E\x000\x000\x009\x00-\x004\x00D\x00C\x00B\x00-\x00A\x00B\x00C\x005\x00-\x00B\x00B\x009\x005\x00B\x00F\x009\x002\x00F\x00D\x008\x00B\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14119 WEB-ACTIVEX Aurigma unspecified 16 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"65FB3073-CA8E-42A1-9A9A-2F826D05A843"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*65FB3073-CA8E-42A1-9A9A-2F826D05A843\s*}?\s*(?P=q17)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14120 WEB-ACTIVEX Aurigma unspecified 17 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|5|00|F|00|B|00|3|00|0|00|7|00|3|00|-|00|C|00|A|00|8|00|E|00|-|00|4|00|2|00|A|00|1|00|-|00|9|00|A|00|9|00|A|00|-|00|2|00|F|00|8|00|2|00|6|00|D|00|0|00|5|00|A|00|8|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q18>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x005\x00F\x00B\x003\x000\x007\x003\x00-\x00C\x00A\x008\x00E\x00-\x004\x002\x00A\x001\x00-\x009\x00A\x009\x00A\x00-\x002\x00F\x008\x002\x006\x00D\x000\x005\x00A\x008\x004\x003\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14121 WEB-ACTIVEX Aurigma unspecified 17 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3\s*}?\s*(?P=q19)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14122 WEB-ACTIVEX Aurigma unspecified 18 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|E|00|B|00|2|00|A|00|2|00|E|00|C|00|-|00|1|00|C|00|3|00|A|00|-|00|4|00|9|00|4|00|6|00|-|00|9|00|6|00|1|00|4|00|-|00|8|00|6|00|D|00|3|00|A|00|1|00|0|00|E|00|D|00|B|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q20>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00E\x00B\x002\x00A\x002\x00E\x00C\x00-\x001\x00C\x003\x00A\x00-\x004\x009\x004\x006\x00-\x009\x006\x001\x004\x00-\x008\x006\x00D\x003\x00A\x001\x000\x00E\x00D\x00B\x00F\x003\x00(}\x00)?(?P=q20)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14123 WEB-ACTIVEX Aurigma unspecified 18 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9BAFC7B3-F318-4BD4-BABB-6E403272615A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q21>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9BAFC7B3-F318-4BD4-BABB-6E403272615A\s*}?\s*(?P=q21)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14124 WEB-ACTIVEX Aurigma unspecified 19 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|B|00|A|00|F|00|C|00|7|00|B|00|3|00|-|00|F|00|3|00|1|00|8|00|-|00|4|00|B|00|D|00|4|00|-|00|B|00|A|00|B|00|B|00|-|00|6|00|E|00|4|00|0|00|3|00|2|00|7|00|2|00|6|00|1|00|5|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q22>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00B\x00A\x00F\x00C\x007\x00B\x003\x00-\x00F\x003\x001\x008\x00-\x004\x00B\x00D\x004\x00-\x00B\x00A\x00B\x00B\x00-\x006\x00E\x004\x000\x003\x002\x007\x002\x006\x001\x005\x00A\x00(}\x00)?(?P=q22)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14125 WEB-ACTIVEX Aurigma unspecified 19 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"05CDEE1D-D109-4992-B72B-6D4F5E2AB731"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*05CDEE1D-D109-4992-B72B-6D4F5E2AB731\s*}?\s*(?P=q25)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14126 WEB-ACTIVEX Aurigma unspecified 20 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|5|00|C|00|D|00|E|00|E|00|1|00|D|00|-|00|D|00|1|00|0|00|9|00|-|00|4|00|9|00|9|00|2|00|-|00|B|00|7|00|2|00|B|00|-|00|6|00|D|00|4|00|F|00|5|00|E|00|2|00|A|00|B|00|7|00|3|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q26>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x005\x00C\x00D\x00E\x00E\x001\x00D\x00-\x00D\x001\x000\x009\x00-\x004\x009\x009\x002\x00-\x00B\x007\x002\x00B\x00-\x006\x00D\x004\x00F\x005\x00E\x002\x00A\x00B\x007\x003\x001\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14127 WEB-ACTIVEX Aurigma unspecified 20 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"977315A5-C0DB-4EFD-89C2-10AA86CA39A5"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*977315A5-C0DB-4EFD-89C2-10AA86CA39A5\s*}?\s*(?P=q27)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14128 WEB-ACTIVEX Aurigma unspecified 21 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|7|00|7|00|3|00|1|00|5|00|A|00|5|00|-|00|C|00|0|00|D|00|B|00|-|00|4|00|E|00|F|00|D|00|-|00|8|00|9|00|C|00|2|00|-|00|1|00|0|00|A|00|A|00|8|00|6|00|C|00|A|00|3|00|9|00|A|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q28>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x007\x003\x001\x005\x00A\x005\x00-\x00C\x000\x00D\x00B\x00-\x004\x00E\x00F\x00D\x00-\x008\x009\x00C\x002\x00-\x001\x000\x00A\x00A\x008\x006\x00C\x00A\x003\x009\x00A\x005\x00(}\x00)?(?P=q28)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14129 WEB-ACTIVEX Aurigma unspecified 21 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1E0D3332-7441-44FF-A225-AF48E977D8B6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q29>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1E0D3332-7441-44FF-A225-AF48E977D8B6\s*}?\s*(?P=q29)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14130 WEB-ACTIVEX Aurigma unspecified 22 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|E|00|0|00|D|00|3|00|3|00|3|00|2|00|-|00|7|00|4|00|4|00|1|00|-|00|4|00|4|00|F|00|F|00|-|00|A|00|2|00|2|00|5|00|-|00|A|00|F|00|4|00|8|00|E|00|9|00|7|00|7|00|D|00|8|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q30>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00E\x000\x00D\x003\x003\x003\x002\x00-\x007\x004\x004\x001\x00-\x004\x004\x00F\x00F\x00-\x00A\x002\x002\x005\x00-\x00A\x00F\x004\x008\x00E\x009\x007\x007\x00D\x008\x00B\x006\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14131 WEB-ACTIVEX Aurigma unspecified 22 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B85537E9-2D9C-400A-BC92-B04F4D9FF17D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q31>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B85537E9-2D9C-400A-BC92-B04F4D9FF17D\s*}?\s*(?P=q31)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14132 WEB-ACTIVEX Aurigma unspecified 23 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|8|00|5|00|5|00|3|00|7|00|E|00|9|00|-|00|2|00|D|00|9|00|C|00|-|00|4|00|0|00|0|00|A|00|-|00|B|00|C|00|9|00|2|00|-|00|B|00|0|00|4|00|F|00|4|00|D|00|9|00|F|00|F|00|1|00|7|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q32>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x008\x005\x005\x003\x007\x00E\x009\x00-\x002\x00D\x009\x00C\x00-\x004\x000\x000\x00A\x00-\x00B\x00C\x009\x002\x00-\x00B\x000\x004\x00F\x004\x00D\x009\x00F\x00F\x001\x007\x00D\x00(}\x00)?(?P=q32)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14133 WEB-ACTIVEX Aurigma unspecified 23 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2C2DE2E6-2AD1-4301-A6A7-DF364858EF01"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q33>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2C2DE2E6-2AD1-4301-A6A7-DF364858EF01\s*}?\s*(?P=q33)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14134 WEB-ACTIVEX Aurigma unspecified 24 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|C|00|2|00|D|00|E|00|2|00|E|00|6|00|-|00|2|00|A|00|D|00|1|00|-|00|4|00|3|00|0|00|1|00|-|00|A|00|6|00|A|00|7|00|-|00|D|00|F|00|3|00|6|00|4|00|8|00|5|00|8|00|E|00|F|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q34>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00C\x002\x00D\x00E\x002\x00E\x006\x00-\x002\x00A\x00D\x001\x00-\x004\x003\x000\x001\x00-\x00A\x006\x00A\x007\x00-\x00D\x00F\x003\x006\x004\x008\x005\x008\x00E\x00F\x000\x001\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14135 WEB-ACTIVEX Aurigma unspecified 24 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0270E604-387F-48ED-BB6D-AA51F51D6FC3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q35>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0270E604-387F-48ED-BB6D-AA51F51D6FC3\s*}?\s*(?P=q35)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14136 WEB-ACTIVEX Aurigma unspecified 25 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|2|00|7|00|0|00|E|00|6|00|0|00|4|00|-|00|3|00|8|00|7|00|F|00|-|00|4|00|8|00|E|00|D|00|-|00|B|00|B|00|6|00|D|00|-|00|A|00|A|00|5|00|1|00|F|00|5|00|1|00|D|00|6|00|F|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q36>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x002\x007\x000\x00E\x006\x000\x004\x00-\x003\x008\x007\x00F\x00-\x004\x008\x00E\x00D\x00-\x00B\x00B\x006\x00D\x00-\x00A\x00A\x005\x001\x00F\x005\x001\x00D\x006\x00F\x00C\x003\x00(}\x00)?(?P=q36)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14137 WEB-ACTIVEX Aurigma unspecified 25 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FC28B75F-F9F6-4C92-AF91-14A3A51C49FB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC28B75F-F9F6-4C92-AF91-14A3A51C49FB\s*}?\s*(?P=q37)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14138 WEB-ACTIVEX Aurigma unspecified 26 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|C|00|2|00|8|00|B|00|7|00|5|00|F|00|-|00|F|00|9|00|F|00|6|00|-|00|4|00|C|00|9|00|2|00|-|00|A|00|F|00|9|00|1|00|-|00|1|00|4|00|A|00|3|00|A|00|5|00|1|00|C|00|4|00|9|00|F|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q38>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00C\x002\x008\x00B\x007\x005\x00F\x00-\x00F\x009\x00F\x006\x00-\x004\x00C\x009\x002\x00-\x00A\x00F\x009\x001\x00-\x001\x004\x00A\x003\x00A\x005\x001\x00C\x004\x009\x00F\x00B\x00(}\x00)?(?P=q38)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14139 WEB-ACTIVEX Aurigma unspecified 26 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"86C2B477-5382-4A09-8CA3-E63B1158A377"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q39>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*86C2B477-5382-4A09-8CA3-E63B1158A377\s*}?\s*(?P=q39)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14140 WEB-ACTIVEX Aurigma unspecified 27 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|6|00|C|00|2|00|B|00|4|00|7|00|7|00|-|00|5|00|3|00|8|00|2|00|-|00|4|00|A|00|0|00|9|00|-|00|8|00|C|00|A|00|3|00|-|00|E|00|6|00|3|00|B|00|1|00|1|00|5|00|8|00|A|00|3|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q40>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x006\x00C\x002\x00B\x004\x007\x007\x00-\x005\x003\x008\x002\x00-\x004\x00A\x000\x009\x00-\x008\x00C\x00A\x003\x00-\x00E\x006\x003\x00B\x001\x001\x005\x008\x00A\x003\x007\x007\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14141 WEB-ACTIVEX Aurigma unspecified 27 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8CC18E3F-4E2B-4D27-840E-CB2F99A3A003"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q41>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8CC18E3F-4E2B-4D27-840E-CB2F99A3A003\s*}?\s*(?P=q41)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14142 WEB-ACTIVEX Aurigma unspecified 28 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|C|00|C|00|1|00|8|00|E|00|3|00|F|00|-|00|4|00|E|00|2|00|B|00|-|00|4|00|D|00|2|00|7|00|-|00|8|00|4|00|0|00|E|00|-|00|C|00|B|00|2|00|F|00|9|00|9|00|A|00|3|00|A|00|0|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q42>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00C\x00C\x001\x008\x00E\x003\x00F\x00-\x004\x00E\x002\x00B\x00-\x004\x00D\x002\x007\x00-\x008\x004\x000\x00E\x00-\x00C\x00B\x002\x00F\x009\x009\x00A\x003\x00A\x000\x000\x003\x00(}\x00)?(?P=q42)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14143 WEB-ACTIVEX Aurigma unspecified 28 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"68BBCA71-E1F6-47B2-87D3-369E1349D990"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q43>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68BBCA71-E1F6-47B2-87D3-369E1349D990\s*}?\s*(?P=q43)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14144 WEB-ACTIVEX Aurigma unspecified 29 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|8|00|B|00|B|00|C|00|A|00|7|00|1|00|-|00|E|00|1|00|F|00|6|00|-|00|4|00|7|00|B|00|2|00|-|00|8|00|7|00|D|00|3|00|-|00|3|00|6|00|9|00|E|00|1|00|3|00|4|00|9|00|D|00|9|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q44>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x00B\x00B\x00C\x00A\x007\x001\x00-\x00E\x001\x00F\x006\x00-\x004\x007\x00B\x002\x00-\x008\x007\x00D\x003\x00-\x003\x006\x009\x00E\x001\x003\x004\x009\x00D\x009\x009\x000\x00(}\x00)?(?P=q44)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14145 WEB-ACTIVEX Aurigma unspecified 29 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8DBC7A04-B478-41D5-BE05-5545D565B59C"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q47>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8DBC7A04-B478-41D5-BE05-5545D565B59C\s*}?\s*(?P=q47)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14146 WEB-ACTIVEX Aurigma unspecified 30 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|D|00|B|00|C|00|7|00|A|00|0|00|4|00|-|00|B|00|4|00|7|00|8|00|-|00|4|00|1|00|D|00|5|00|-|00|B|00|E|00|0|00|5|00|-|00|5|00|5|00|4|00|5|00|D|00|5|00|6|00|5|00|B|00|5|00|9|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q48>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00D\x00B\x00C\x007\x00A\x000\x004\x00-\x00B\x004\x007\x008\x00-\x004\x001\x00D\x005\x00-\x00B\x00E\x000\x005\x00-\x005\x005\x004\x005\x00D\x005\x006\x005\x00B\x005\x009\x00C\x00(}\x00)?(?P=q48)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14147 WEB-ACTIVEX Aurigma unspecified 30 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6\s*}?\s*(?P=q49)(\s|>)/si"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14148 WEB-ACTIVEX Aurigma unspecified 31 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|8|00|6|00|F|00|E|00|4|00|B|00|-|00|A|00|E|00|6|00|7|00|-|00|4|00|3|00|C|00|8|00|-|00|9|00|A|00|8|00|9|00|-|00|E|00|A|00|D|00|D|00|E|00|A|00|3|00|E|00|C|00|6|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q50>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x009\x008\x006\x00F\x00E\x004\x00B\x00-\x00A\x00E\x006\x007\x00-\x004\x003\x00C\x008\x00-\x009\x00A\x008\x009\x00-\x00E\x00A\x00D\x00D\x00E\x00A\x003\x00E\x00C\x006\x00B\x006\x00(}\x00)?(?P=q50)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14149 WEB-ACTIVEX Aurigma unspecified 31 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6CA73E8B-B584-4533-A405-3D6F9C012B56"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q51>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6CA73E8B-B584-4533-A405-3D6F9C012B56\s*}?\s*(?P=q51)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14150 WEB-ACTIVEX Aurigma unspecified 32 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|C|00|A|00|7|00|3|00|E|00|8|00|B|00|-|00|B|00|5|00|8|00|4|00|-|00|4|00|5|00|3|00|3|00|-|00|A|00|4|00|0|00|5|00|-|00|3|00|D|00|6|00|F|00|9|00|C|00|0|00|1|00|2|00|B|00|5|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q52>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00C\x00A\x007\x003\x00E\x008\x00B\x00-\x00B\x005\x008\x004\x00-\x004\x005\x003\x003\x00-\x00A\x004\x000\x005\x00-\x003\x00D\x006\x00F\x009\x00C\x000\x001\x002\x00B\x005\x006\x00(}\x00)?(?P=q52)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14151 WEB-ACTIVEX Aurigma unspecified 32 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A7866636-ED52-4722-82A9-6BAABEFDBF96"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q53>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A7866636-ED52-4722-82A9-6BAABEFDBF96\s*}?\s*(?P=q53)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14152 WEB-ACTIVEX Aurigma unspecified 33 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|7|00|8|00|6|00|6|00|6|00|3|00|6|00|-|00|E|00|D|00|5|00|2|00|-|00|4|00|7|00|2|00|2|00|-|00|8|00|2|00|A|00|9|00|-|00|6|00|B|00|A|00|A|00|B|00|E|00|F|00|D|00|B|00|F|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q54>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x007\x008\x006\x006\x006\x003\x006\x00-\x00E\x00D\x005\x002\x00-\x004\x007\x002\x002\x00-\x008\x002\x00A\x009\x00-\x006\x00B\x00A\x00A\x00B\x00E\x00F\x00D\x00B\x00F\x009\x006\x00(}\x00)?(?P=q54)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14153 WEB-ACTIVEX Aurigma unspecified 33 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B0A08D67-9464-4E73-A549-2CC208AC60D3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q55>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B0A08D67-9464-4E73-A549-2CC208AC60D3\s*}?\s*(?P=q55)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14154 WEB-ACTIVEX Aurigma unspecified 34 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|0|00|A|00|0|00|8|00|D|00|6|00|7|00|-|00|9|00|4|00|6|00|4|00|-|00|4|00|E|00|7|00|3|00|-|00|A|00|5|00|4|00|9|00|-|00|2|00|C|00|C|00|2|00|0|00|8|00|A|00|C|00|6|00|0|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q56>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x00A\x000\x008\x00D\x006\x007\x00-\x009\x004\x006\x004\x00-\x004\x00E\x007\x003\x00-\x00A\x005\x004\x009\x00-\x002\x00C\x00C\x002\x000\x008\x00A\x00C\x006\x000\x00D\x003\x00(}\x00)?(?P=q56)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14155 WEB-ACTIVEX Aurigma unspecified 34 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3D6A1A85-DE54-4768-9951-053B3B02B9B0"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q57>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3D6A1A85-DE54-4768-9951-053B3B02B9B0\s*}?\s*(?P=q57)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14156 WEB-ACTIVEX Aurigma unspecified 35 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|D|00|6|00|A|00|1|00|A|00|8|00|5|00|-|00|D|00|E|00|5|00|4|00|-|00|4|00|7|00|6|00|8|00|-|00|9|00|9|00|5|00|1|00|-|00|0|00|5|00|3|00|B|00|3|00|B|00|0|00|2|00|B|00|9|00|B|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q58>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00D\x006\x00A\x001\x00A\x008\x005\x00-\x00D\x00E\x005\x004\x00-\x004\x007\x006\x008\x00-\x009\x009\x005\x001\x00-\x000\x005\x003\x00B\x003\x00B\x000\x002\x00B\x009\x00B\x000\x00(}\x00)?(?P=q58)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14157 WEB-ACTIVEX Aurigma unspecified 35 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"947F2947-2296-42FE-92E6-E2E03519B895"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q59>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*947F2947-2296-42FE-92E6-E2E03519B895\s*}?\s*(?P=q59)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14158 WEB-ACTIVEX Aurigma unspecified 36 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|4|00|7|00|F|00|2|00|9|00|4|00|7|00|-|00|2|00|2|00|9|00|6|00|-|00|4|00|2|00|F|00|E|00|-|00|9|00|2|00|E|00|6|00|-|00|E|00|2|00|E|00|0|00|3|00|5|00|1|00|9|00|B|00|8|00|9|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q60>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x004\x007\x00F\x002\x009\x004\x007\x00-\x002\x002\x009\x006\x00-\x004\x002\x00F\x00E\x00-\x009\x002\x00E\x006\x00-\x00E\x002\x00E\x000\x003\x005\x001\x009\x00B\x008\x009\x005\x00(}\x00)?(?P=q60)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14159 WEB-ACTIVEX Aurigma unspecified 36 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q61>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB\s*}?\s*(?P=q61)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14160 WEB-ACTIVEX Aurigma unspecified 37 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|A|00|F|00|0|00|6|00|D|00|D|00|-|00|8|00|E|00|1|00|B|00|-|00|4|00|C|00|A|00|4|00|-|00|8|00|F|00|5|00|5|00|-|00|6|00|B|00|1|00|E|00|9|00|F|00|F|00|3|00|6|00|A|00|C|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q62>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x00A\x00F\x000\x006\x00D\x00D\x00-\x008\x00E\x001\x00B\x00-\x004\x00C\x00A\x004\x00-\x008\x00F\x005\x005\x00-\x006\x00B\x001\x00E\x009\x00F\x00F\x003\x006\x00A\x00C\x00B\x00(}\x00)?(?P=q62)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14161 WEB-ACTIVEX Aurigma unspecified 37 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B26E6120-DD35-4BEA-B1E3-E75F546EBF2A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q63>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B26E6120-DD35-4BEA-B1E3-E75F546EBF2A\s*}?\s*(?P=q63)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14162 WEB-ACTIVEX Aurigma unspecified 38 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|2|00|6|00|E|00|6|00|1|00|2|00|0|00|-|00|D|00|D|00|3|00|5|00|-|00|4|00|B|00|E|00|A|00|-|00|B|00|1|00|E|00|3|00|-|00|E|00|7|00|5|00|F|00|5|00|4|00|6|00|E|00|B|00|F|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q64>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x002\x006\x00E\x006\x001\x002\x000\x00-\x00D\x00D\x003\x005\x00-\x004\x00B\x00E\x00A\x00-\x00B\x001\x00E\x003\x00-\x00E\x007\x005\x00F\x005\x004\x006\x00E\x00B\x00F\x002\x00A\x00(}\x00)?(?P=q64)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14163 WEB-ACTIVEX Aurigma unspecified 38 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"926618A9-4035-4CD6-8240-64C58EB37B07"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q65>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*926618A9-4035-4CD6-8240-64C58EB37B07\s*}?\s*(?P=q65)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14164 WEB-ACTIVEX Aurigma unspecified 39 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|2|00|6|00|6|00|1|00|8|00|A|00|9|00|-|00|4|00|0|00|3|00|5|00|-|00|4|00|C|00|D|00|6|00|-|00|8|00|2|00|4|00|0|00|-|00|6|00|4|00|C|00|5|00|8|00|E|00|B|00|3|00|7|00|B|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q66>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x006\x006\x001\x008\x00A\x009\x00-\x004\x000\x003\x005\x00-\x004\x00C\x00D\x006\x00-\x008\x002\x004\x000\x00-\x006\x004\x00C\x005\x008\x00E\x00B\x003\x007\x00B\x000\x007\x00(}\x00)?(?P=q66)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14165 WEB-ACTIVEX Aurigma unspecified 39 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B95B52E9-B839-4412-96EB-4DABAB2E4E24"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q69>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B95B52E9-B839-4412-96EB-4DABAB2E4E24\s*}?\s*(?P=q69)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14166 WEB-ACTIVEX Aurigma unspecified 40 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|9|00|5|00|B|00|5|00|2|00|E|00|9|00|-|00|B|00|8|00|3|00|9|00|-|00|4|00|4|00|1|00|2|00|-|00|9|00|6|00|E|00|B|00|-|00|4|00|D|00|A|00|B|00|A|00|B|00|2|00|E|00|4|00|E|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q70>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x009\x005\x00B\x005\x002\x00E\x009\x00-\x00B\x008\x003\x009\x00-\x004\x004\x001\x002\x00-\x009\x006\x00E\x00B\x00-\x004\x00D\x00A\x00B\x00A\x00B\x002\x00E\x004\x00E\x002\x004\x00(}\x00)?(?P=q70)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14167 WEB-ACTIVEX Aurigma unspecified 40 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CB05A177-1069-4A7A-AB0A-5E6E00DCDB76"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q71>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CB05A177-1069-4A7A-AB0A-5E6E00DCDB76\s*}?\s*(?P=q71)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14168 WEB-ACTIVEX Aurigma unspecified 41 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|B|00|0|00|5|00|A|00|1|00|7|00|7|00|-|00|1|00|0|00|6|00|9|00|-|00|4|00|A|00|7|00|A|00|-|00|A|00|B|00|0|00|A|00|-|00|5|00|E|00|6|00|E|00|0|00|0|00|D|00|C|00|D|00|B|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q72>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00B\x000\x005\x00A\x001\x007\x007\x00-\x001\x000\x006\x009\x00-\x004\x00A\x007\x00A\x00-\x00A\x00B\x000\x00A\x00-\x005\x00E\x006\x00E\x000\x000\x00D\x00C\x00D\x00B\x007\x006\x00(}\x00)?(?P=q72)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14169 WEB-ACTIVEX Aurigma unspecified 41 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A233E654-53FF-43AA-B1E2-60DA2E89A1EC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q73>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A233E654-53FF-43AA-B1E2-60DA2E89A1EC\s*}?\s*(?P=q73)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14170 WEB-ACTIVEX Aurigma unspecified 42 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|2|00|3|00|3|00|E|00|6|00|5|00|4|00|-|00|5|00|3|00|F|00|F|00|-|00|4|00|3|00|A|00|A|00|-|00|B|00|1|00|E|00|2|00|-|00|6|00|0|00|D|00|A|00|2|00|E|00|8|00|9|00|A|00|1|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q74>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x002\x003\x003\x00E\x006\x005\x004\x00-\x005\x003\x00F\x00F\x00-\x004\x003\x00A\x00A\x00-\x00B\x001\x00E\x002\x00-\x006\x000\x00D\x00A\x002\x00E\x008\x009\x00A\x001\x00E\x00C\x00(}\x00)?(?P=q74)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14171 WEB-ACTIVEX Aurigma unspecified 42 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6981B978-70D9-40B9-B00E-903B6FC8CA8A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q75>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6981B978-70D9-40B9-B00E-903B6FC8CA8A\s*}?\s*(?P=q75)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14172 WEB-ACTIVEX Aurigma unspecified 43 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|9|00|8|00|1|00|B|00|9|00|7|00|8|00|-|00|7|00|0|00|D|00|9|00|-|00|4|00|0|00|B|00|9|00|-|00|B|00|0|00|0|00|E|00|-|00|9|00|0|00|3|00|B|00|6|00|F|00|C|00|8|00|C|00|A|00|8|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q76>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x009\x008\x001\x00B\x009\x007\x008\x00-\x007\x000\x00D\x009\x00-\x004\x000\x00B\x009\x00-\x00B\x000\x000\x00E\x00-\x009\x000\x003\x00B\x006\x00F\x00C\x008\x00C\x00A\x008\x00A\x00(}\x00)?(?P=q76)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14173 WEB-ACTIVEX Aurigma unspecified 43 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C86EE68A-9C77-4441-BD35-14CC6CC4A189"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q77>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C86EE68A-9C77-4441-BD35-14CC6CC4A189\s*}?\s*(?P=q77)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14174 WEB-ACTIVEX Aurigma unspecified 44 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|8|00|6|00|E|00|E|00|6|00|8|00|A|00|-|00|9|00|C|00|7|00|7|00|-|00|4|00|4|00|4|00|1|00|-|00|B|00|D|00|3|00|5|00|-|00|1|00|4|00|C|00|C|00|6|00|C|00|C|00|4|00|A|00|1|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q78>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x008\x006\x00E\x00E\x006\x008\x00A\x00-\x009\x00C\x007\x007\x00-\x004\x004\x004\x001\x00-\x00B\x00D\x003\x005\x00-\x001\x004\x00C\x00C\x006\x00C\x00C\x004\x00A\x001\x008\x009\x00(}\x00)?(?P=q78)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14175 WEB-ACTIVEX Aurigma unspecified 44 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2875E7A5-EE3C-4FE7-A23E-DE0529D12028"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q79>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2875E7A5-EE3C-4FE7-A23E-DE0529D12028\s*}?\s*(?P=q79)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14176 WEB-ACTIVEX Aurigma unspecified 45 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|8|00|7|00|5|00|E|00|7|00|A|00|5|00|-|00|E|00|E|00|3|00|C|00|-|00|4|00|F|00|E|00|7|00|-|00|A|00|2|00|3|00|E|00|-|00|D|00|E|00|0|00|5|00|2|00|9|00|D|00|1|00|2|00|0|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q80>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x008\x007\x005\x00E\x007\x00A\x005\x00-\x00E\x00E\x003\x00C\x00-\x004\x00F\x00E\x007\x00-\x00A\x002\x003\x00E\x00-\x00D\x00E\x000\x005\x002\x009\x00D\x001\x002\x000\x002\x008\x00(}\x00)?(?P=q80)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14177 WEB-ACTIVEX Aurigma unspecified 45 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"66E07EF9-4E89-4284-9632-6D6904B77732"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q81>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*66E07EF9-4E89-4284-9632-6D6904B77732\s*}?\s*(?P=q81)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14178 WEB-ACTIVEX Aurigma unspecified 46 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|6|00|E|00|0|00|7|00|E|00|F|00|9|00|-|00|4|00|E|00|8|00|9|00|-|00|4|00|2|00|8|00|4|00|-|00|9|00|6|00|3|00|2|00|-|00|6|00|D|00|6|00|9|00|0|00|4|00|B|00|7|00|7|00|7|00|3|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q82>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x006\x00E\x000\x007\x00E\x00F\x009\x00-\x004\x00E\x008\x009\x00-\x004\x002\x008\x004\x00-\x009\x006\x003\x002\x00-\x006\x00D\x006\x009\x000\x004\x00B\x007\x007\x007\x003\x002\x00(}\x00)?(?P=q82)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14179 WEB-ACTIVEX Aurigma unspecified 46 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00D46195-B634-4C41-B53B-5093527FB791"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q83>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00D46195-B634-4C41-B53B-5093527FB791\s*}?\s*(?P=q83)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14180 WEB-ACTIVEX Aurigma unspecified 47 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|D|00|4|00|6|00|1|00|9|00|5|00|-|00|B|00|6|00|3|00|4|00|-|00|4|00|C|00|4|00|1|00|-|00|B|00|5|00|3|00|B|00|-|00|5|00|0|00|9|00|3|00|5|00|2|00|7|00|F|00|B|00|7|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q84>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x00D\x004\x006\x001\x009\x005\x00-\x00B\x006\x003\x004\x00-\x004\x00C\x004\x001\x00-\x00B\x005\x003\x00B\x00-\x005\x000\x009\x003\x005\x002\x007\x00F\x00B\x007\x009\x001\x00(}\x00)?(?P=q84)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14181 WEB-ACTIVEX Aurigma unspecified 47 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"497EE41C-CE06-4DD4-8308-6C730713C646"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q85>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*497EE41C-CE06-4DD4-8308-6C730713C646\s*}?\s*(?P=q85)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14182 WEB-ACTIVEX Aurigma unspecified 48 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|9|00|7|00|E|00|E|00|4|00|1|00|C|00|-|00|C|00|E|00|0|00|6|00|-|00|4|00|D|00|D|00|4|00|-|00|8|00|3|00|0|00|8|00|-|00|6|00|C|00|7|00|3|00|0|00|7|00|1|00|3|00|C|00|6|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q86>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x009\x007\x00E\x00E\x004\x001\x00C\x00-\x00C\x00E\x000\x006\x00-\x004\x00D\x00D\x004\x00-\x008\x003\x000\x008\x00-\x006\x00C\x007\x003\x000\x007\x001\x003\x00C\x006\x004\x006\x00(}\x00)?(?P=q86)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14183 WEB-ACTIVEX Aurigma unspecified 48 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7A12547F-B772-4F2D-BE36-CE5D0FA886A1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q87>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7A12547F-B772-4F2D-BE36-CE5D0FA886A1\s*}?\s*(?P=q87)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14184 WEB-ACTIVEX Aurigma unspecified 49 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|A|00|1|00|2|00|5|00|4|00|7|00|F|00|-|00|B|00|7|00|7|00|2|00|-|00|4|00|F|00|2|00|D|00|-|00|B|00|E|00|3|00|6|00|-|00|C|00|E|00|5|00|D|00|0|00|F|00|A|00|8|00|8|00|6|00|A|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q88>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00A\x001\x002\x005\x004\x007\x00F\x00-\x00B\x007\x007\x002\x00-\x004\x00F\x002\x00D\x00-\x00B\x00E\x003\x006\x00-\x00C\x00E\x005\x00D\x000\x00F\x00A\x008\x008\x006\x00A\x001\x00(}\x00)?(?P=q88)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14185 WEB-ACTIVEX Aurigma unspecified 49 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0B9C0C26-728C-4FDA-B8DD-59806E20E4D9"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q91>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B9C0C26-728C-4FDA-B8DD-59806E20E4D9\s*}?\s*(?P=q91)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14186 WEB-ACTIVEX Aurigma unspecified 50 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|B|00|9|00|C|00|0|00|C|00|2|00|6|00|-|00|7|00|2|00|8|00|C|00|-|00|4|00|F|00|D|00|A|00|-|00|B|00|8|00|D|00|D|00|-|00|5|00|9|00|8|00|0|00|6|00|E|00|2|00|0|00|E|00|4|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q92>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00B\x009\x00C\x000\x00C\x002\x006\x00-\x007\x002\x008\x00C\x00-\x004\x00F\x00D\x00A\x00-\x00B\x008\x00D\x00D\x00-\x005\x009\x008\x000\x006\x00E\x002\x000\x00E\x004\x00D\x009\x00(}\x00)?(?P=q92)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14187 WEB-ACTIVEX Aurigma unspecified 50 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F399F5B6-3C63-4674-B0FF-E94328B1947D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q93>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F399F5B6-3C63-4674-B0FF-E94328B1947D\s*}?\s*(?P=q93)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14188 WEB-ACTIVEX Aurigma unspecified 51 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|3|00|9|00|9|00|F|00|5|00|B|00|6|00|-|00|3|00|C|00|6|00|3|00|-|00|4|00|6|00|7|00|4|00|-|00|B|00|0|00|F|00|F|00|-|00|E|00|9|00|4|00|3|00|2|00|8|00|B|00|1|00|9|00|4|00|7|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q94>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x003\x009\x009\x00F\x005\x00B\x006\x00-\x003\x00C\x006\x003\x00-\x004\x006\x007\x004\x00-\x00B\x000\x00F\x00F\x00-\x00E\x009\x004\x003\x002\x008\x00B\x001\x009\x004\x007\x00D\x00(}\x00)?(?P=q94)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14189 WEB-ACTIVEX Aurigma unspecified 51 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8C7A23D9-2A9B-4AEA-BA91-3003A316B44D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q95>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8C7A23D9-2A9B-4AEA-BA91-3003A316B44D\s*}?\s*(?P=q95)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14190 WEB-ACTIVEX Aurigma unspecified 52 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|C|00|7|00|A|00|2|00|3|00|D|00|9|00|-|00|2|00|A|00|9|00|B|00|-|00|4|00|A|00|E|00|A|00|-|00|B|00|A|00|9|00|1|00|-|00|3|00|0|00|0|00|3|00|A|00|3|00|1|00|6|00|B|00|4|00|4|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q96>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00C\x007\x00A\x002\x003\x00D\x009\x00-\x002\x00A\x009\x00B\x00-\x004\x00A\x00E\x00A\x00-\x00B\x00A\x009\x001\x00-\x003\x000\x000\x003\x00A\x003\x001\x006\x00B\x004\x004\x00D\x00(}\x00)?(?P=q96)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14191 WEB-ACTIVEX Aurigma unspecified 52 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E6127E3B-8D17-4BEA-A039-8BB9D0D105A2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q97>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E6127E3B-8D17-4BEA-A039-8BB9D0D105A2\s*}?\s*(?P=q97)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14192 WEB-ACTIVEX Aurigma unspecified 53 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|6|00|1|00|2|00|7|00|E|00|3|00|B|00|-|00|8|00|D|00|1|00|7|00|-|00|4|00|B|00|E|00|A|00|-|00|A|00|0|00|3|00|9|00|-|00|8|00|B|00|B|00|9|00|D|00|0|00|D|00|1|00|0|00|5|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q98>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x001\x002\x007\x00E\x003\x00B\x00-\x008\x00D\x001\x007\x00-\x004\x00B\x00E\x00A\x00-\x00A\x000\x003\x009\x00-\x008\x00B\x00B\x009\x00D\x000\x00D\x001\x000\x005\x00A\x002\x00(}\x00)?(?P=q98)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14193 WEB-ACTIVEX Aurigma unspecified 53 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A3796166-A03C-418A-AF3A-060115D4E478"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q99>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A3796166-A03C-418A-AF3A-060115D4E478\s*}?\s*(?P=q99)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14194 WEB-ACTIVEX Aurigma unspecified 54 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|3|00|7|00|9|00|6|00|1|00|6|00|6|00|-|00|A|00|0|00|3|00|C|00|-|00|4|00|1|00|8|00|A|00|-|00|A|00|F|00|3|00|A|00|-|00|0|00|6|00|0|00|1|00|1|00|5|00|D|00|4|00|E|00|4|00|7|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q100>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x003\x007\x009\x006\x001\x006\x006\x00-\x00A\x000\x003\x00C\x00-\x004\x001\x008\x00A\x00-\x00A\x00F\x003\x00A\x00-\x000\x006\x000\x001\x001\x005\x00D\x004\x00E\x004\x007\x008\x00(}\x00)?(?P=q100)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14195 WEB-ACTIVEX Aurigma unspecified 54 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q101>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A\s*}?\s*(?P=q101)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14196 WEB-ACTIVEX Aurigma unspecified 55 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|3|00|B|00|C|00|F|00|D|00|0|00|F|00|-|00|0|00|D|00|A|00|A|00|-|00|4|00|B|00|2|00|1|00|-|00|B|00|7|00|0|00|9|00|-|00|2|00|A|00|8|00|D|00|9|00|D|00|9|00|C|00|6|00|9|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q102>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x003\x00B\x00C\x00F\x00D\x000\x00F\x00-\x000\x00D\x00A\x00A\x00-\x004\x00B\x002\x001\x00-\x00B\x007\x000\x009\x00-\x002\x00A\x008\x00D\x009\x00D\x009\x00C\x006\x009\x002\x00A\x00(}\x00)?(?P=q102)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14197 WEB-ACTIVEX Aurigma unspecified 55 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"93C5524B-97AE-491E-8EB7-2A3AD964F926"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q103>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93C5524B-97AE-491E-8EB7-2A3AD964F926\s*}?\s*(?P=q103)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14198 WEB-ACTIVEX Aurigma unspecified 56 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|3|00|C|00|5|00|5|00|2|00|4|00|B|00|-|00|9|00|7|00|A|00|E|00|-|00|4|00|9|00|1|00|E|00|-|00|8|00|E|00|B|00|7|00|-|00|2|00|A|00|3|00|A|00|D|00|9|00|6|00|4|00|F|00|9|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q104>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x003\x00C\x005\x005\x002\x004\x00B\x00-\x009\x007\x00A\x00E\x00-\x004\x009\x001\x00E\x00-\x008\x00E\x00B\x007\x00-\x002\x00A\x003\x00A\x00D\x009\x006\x004\x00F\x009\x002\x006\x00(}\x00)?(?P=q104)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14199 WEB-ACTIVEX Aurigma unspecified 56 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"833E62AD-1655-499F-908E-62DCA1EB2EC6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q105>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*833E62AD-1655-499F-908E-62DCA1EB2EC6\s*}?\s*(?P=q105)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14200 WEB-ACTIVEX Aurigma unspecified 57 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|3|00|3|00|E|00|6|00|2|00|A|00|D|00|-|00|1|00|6|00|5|00|5|00|-|00|4|00|9|00|9|00|F|00|-|00|9|00|0|00|8|00|E|00|-|00|6|00|2|00|D|00|C|00|A|00|1|00|E|00|B|00|2|00|E|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q106>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x003\x003\x00E\x006\x002\x00A\x00D\x00-\x001\x006\x005\x005\x00-\x004\x009\x009\x00F\x00-\x009\x000\x008\x00E\x00-\x006\x002\x00D\x00C\x00A\x001\x00E\x00B\x002\x00E\x00C\x006\x00(}\x00)?(?P=q106)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14201 WEB-ACTIVEX Aurigma unspecified 57 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"285CAE3C-F16A-4A84-9A80-FF23D6E56D68"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q107>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*285CAE3C-F16A-4A84-9A80-FF23D6E56D68\s*}?\s*(?P=q107)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14202 WEB-ACTIVEX Aurigma unspecified 58 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|8|00|5|00|C|00|A|00|E|00|3|00|C|00|-|00|F|00|1|00|6|00|A|00|-|00|4|00|A|00|8|00|4|00|-|00|9|00|A|00|8|00|0|00|-|00|F|00|F|00|2|00|3|00|D|00|6|00|E|00|5|00|6|00|D|00|6|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q108>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x008\x005\x00C\x00A\x00E\x003\x00C\x00-\x00F\x001\x006\x00A\x00-\x004\x00A\x008\x004\x00-\x009\x00A\x008\x000\x00-\x00F\x00F\x002\x003\x00D\x006\x00E\x005\x006\x00D\x006\x008\x00(}\x00)?(?P=q108)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14203 WEB-ACTIVEX Aurigma unspecified 58 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q109>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B\s*}?\s*(?P=q109)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14204 WEB-ACTIVEX Aurigma unspecified 59 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|A|00|1|00|3|00|B|00|D|00|8|00|5|00|-|00|7|00|E|00|C|00|0|00|-|00|4|00|C|00|C|00|8|00|-|00|9|00|9|00|5|00|8|00|-|00|1|00|B|00|B|00|2|00|A|00|A|00|3|00|2|00|F|00|D|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q110>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00A\x001\x003\x00B\x00D\x008\x005\x00-\x007\x00E\x00C\x000\x00-\x004\x00C\x00C\x008\x00-\x009\x009\x005\x008\x00-\x001\x00B\x00B\x002\x00A\x00A\x003\x002\x00F\x00D\x000\x00B\x00(}\x00)?(?P=q110)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14205 WEB-ACTIVEX Aurigma unspecified 59 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4614C49A-0B7D-4E0D-A877-38CCCFE7D589"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q113>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4614C49A-0B7D-4E0D-A877-38CCCFE7D589\s*}?\s*(?P=q113)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14206 WEB-ACTIVEX Aurigma unspecified 60 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|6|00|1|00|4|00|C|00|4|00|9|00|A|00|-|00|0|00|B|00|7|00|D|00|-|00|4|00|E|00|0|00|D|00|-|00|A|00|8|00|7|00|7|00|-|00|3|00|8|00|C|00|C|00|C|00|F|00|E|00|7|00|D|00|5|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q114>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x006\x001\x004\x00C\x004\x009\x00A\x00-\x000\x00B\x007\x00D\x00-\x004\x00E\x000\x00D\x00-\x00A\x008\x007\x007\x00-\x003\x008\x00C\x00C\x00C\x00F\x00E\x007\x00D\x005\x008\x009\x00(}\x00)?(?P=q114)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14207 WEB-ACTIVEX Aurigma unspecified 60 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"974E1D88-BADF-4C80-8594-A59039C992EA"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q115>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*974E1D88-BADF-4C80-8594-A59039C992EA\s*}?\s*(?P=q115)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14208 WEB-ACTIVEX Aurigma unspecified 61 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|7|00|4|00|E|00|1|00|D|00|8|00|8|00|-|00|B|00|A|00|D|00|F|00|-|00|4|00|C|00|8|00|0|00|-|00|8|00|5|00|9|00|4|00|-|00|A|00|5|00|9|00|0|00|3|00|9|00|C|00|9|00|9|00|2|00|E|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q116>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x004\x00E\x001\x00D\x008\x008\x00-\x00B\x00A\x00D\x00F\x00-\x004\x00C\x008\x000\x00-\x008\x005\x009\x004\x00-\x00A\x005\x009\x000\x003\x009\x00C\x009\x009\x002\x00E\x00A\x00(}\x00)?(?P=q116)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14209 WEB-ACTIVEX Aurigma unspecified 61 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"692898BE-C7CC-4CB3-A45C-66508B7E2C33"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q117>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*692898BE-C7CC-4CB3-A45C-66508B7E2C33\s*}?\s*(?P=q117)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14210 WEB-ACTIVEX Aurigma unspecified 62 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|9|00|2|00|8|00|9|00|8|00|B|00|E|00|-|00|C|00|7|00|C|00|C|00|-|00|4|00|C|00|B|00|3|00|-|00|A|00|4|00|5|00|C|00|-|00|6|00|6|00|5|00|0|00|8|00|B|00|7|00|E|00|2|00|C|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q118>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x009\x002\x008\x009\x008\x00B\x00E\x00-\x00C\x007\x00C\x00C\x00-\x004\x00C\x00B\x003\x00-\x00A\x004\x005\x00C\x00-\x006\x006\x005\x000\x008\x00B\x007\x00E\x002\x00C\x003\x003\x00(}\x00)?(?P=q118)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14211 WEB-ACTIVEX Aurigma unspecified 62 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F6A7FF1B-9951-4CBE-B197-EA554D6DF40D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q119>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F6A7FF1B-9951-4CBE-B197-EA554D6DF40D\s*}?\s*(?P=q119)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14212 WEB-ACTIVEX Aurigma unspecified 63 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|6|00|A|00|7|00|F|00|F|00|1|00|B|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|C|00|B|00|E|00|-|00|B|00|1|00|9|00|7|00|-|00|E|00|A|00|5|00|5|00|4|00|D|00|6|00|D|00|F|00|4|00|0|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q120>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x006\x00A\x007\x00F\x00F\x001\x00B\x00-\x009\x009\x005\x001\x00-\x004\x00C\x00B\x00E\x00-\x00B\x001\x009\x007\x00-\x00E\x00A\x005\x005\x004\x00D\x006\x00D\x00F\x004\x000\x00D\x00(}\x00)?(?P=q120)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14213 WEB-ACTIVEX Aurigma unspecified 63 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"038F6F55-C9F0-4601-8740-98EF1CA9DF9A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q121>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*038F6F55-C9F0-4601-8740-98EF1CA9DF9A\s*}?\s*(?P=q121)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14214 WEB-ACTIVEX Aurigma unspecified 64 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|3|00|8|00|F|00|6|00|F|00|5|00|5|00|-|00|C|00|9|00|F|00|0|00|-|00|4|00|6|00|0|00|1|00|-|00|8|00|7|00|4|00|0|00|-|00|9|00|8|00|E|00|F|00|1|00|C|00|A|00|9|00|D|00|F|00|9|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q122>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x008\x00F\x006\x00F\x005\x005\x00-\x00C\x009\x00F\x000\x00-\x004\x006\x000\x001\x00-\x008\x007\x004\x000\x00-\x009\x008\x00E\x00F\x001\x00C\x00A\x009\x00D\x00F\x009\x00A\x00(}\x00)?(?P=q122)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14215 WEB-ACTIVEX Aurigma unspecified 64 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"652623DC-2BB4-4C1C-ADFB-57A218F1A5EE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q123>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*652623DC-2BB4-4C1C-ADFB-57A218F1A5EE\s*}?\s*(?P=q123)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14216 WEB-ACTIVEX Aurigma unspecified 65 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|5|00|2|00|6|00|2|00|3|00|D|00|C|00|-|00|2|00|B|00|B|00|4|00|-|00|4|00|C|00|1|00|C|00|-|00|A|00|D|00|F|00|B|00|-|00|5|00|7|00|A|00|2|00|1|00|8|00|F|00|1|00|A|00|5|00|E|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q124>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x005\x002\x006\x002\x003\x00D\x00C\x00-\x002\x00B\x00B\x004\x00-\x004\x00C\x001\x00C\x00-\x00A\x00D\x00F\x00B\x00-\x005\x007\x00A\x002\x001\x008\x00F\x001\x00A\x005\x00E\x00E\x00(}\x00)?(?P=q124)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14217 WEB-ACTIVEX Aurigma unspecified 65 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9275A865-754B-4EDF-B828-FED0F8D344FC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q125>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9275A865-754B-4EDF-B828-FED0F8D344FC\s*}?\s*(?P=q125)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14218 WEB-ACTIVEX Aurigma unspecified 66 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|2|00|7|00|5|00|A|00|8|00|6|00|5|00|-|00|7|00|5|00|4|00|B|00|-|00|4|00|E|00|D|00|F|00|-|00|B|00|8|00|2|00|8|00|-|00|F|00|E|00|D|00|0|00|F|00|8|00|D|00|3|00|4|00|4|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q126>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x007\x005\x00A\x008\x006\x005\x00-\x007\x005\x004\x00B\x00-\x004\x00E\x00D\x00F\x00-\x00B\x008\x002\x008\x00-\x00F\x00E\x00D\x000\x00F\x008\x00D\x003\x004\x004\x00F\x00C\x00(}\x00)?(?P=q126)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14219 WEB-ACTIVEX Aurigma unspecified 66 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6C095616-6064-43ca-9180-CF1B6B6A0BE4"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q127>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6C095616-6064-43ca-9180-CF1B6B6A0BE4\s*}?\s*(?P=q127)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14220 WEB-ACTIVEX Aurigma unspecified 67 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|C|00|0|00|9|00|5|00|6|00|1|00|6|00|-|00|6|00|0|00|6|00|4|00|-|00|4|00|3|00|c|00|a|00|-|00|9|00|1|00|8|00|0|00|-|00|C|00|F|00|1|00|B|00|6|00|B|00|6|00|A|00|0|00|B|00|E|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q128>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00C\x000\x009\x005\x006\x001\x006\x00-\x006\x000\x006\x004\x00-\x004\x003\x00c\x00a\x00-\x009\x001\x008\x000\x00-\x00C\x00F\x001\x00B\x006\x00B\x006\x00A\x000\x00B\x00E\x004\x00(}\x00)?(?P=q128)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14221 WEB-ACTIVEX Aurigma unspecified 67 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E1A26BBF-26C0-401d-B82B-5C4CC67457E0"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q129>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E1A26BBF-26C0-401d-B82B-5C4CC67457E0\s*}?\s*(?P=q129)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14222 WEB-ACTIVEX Aurigma unspecified 68 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|1|00|A|00|2|00|6|00|B|00|B|00|F|00|-|00|2|00|6|00|C|00|0|00|-|00|4|00|0|00|1|00|d|00|-|00|B|00|8|00|2|00|B|00|-|00|5|00|C|00|4|00|C|00|C|00|6|00|7|00|4|00|5|00|7|00|E|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q130>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x001\x00A\x002\x006\x00B\x00B\x00F\x00-\x002\x006\x00C\x000\x00-\x004\x000\x001\x00d\x00-\x00B\x008\x002\x00B\x00-\x005\x00C\x004\x00C\x00C\x006\x007\x004\x005\x007\x00E\x000\x00(}\x00)?(?P=q130)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14223 WEB-ACTIVEX Aurigma unspecified 68 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q131>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98\s*}?\s*(?P=q131)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14224 WEB-ACTIVEX Aurigma unspecified 69 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|7|00|3|00|B|00|A|00|E|00|F|00|A|00|-|00|E|00|E|00|6|00|5|00|-|00|4|00|9|00|4|00|D|00|-|00|B|00|E|00|D|00|B|00|-|00|D|00|D|00|3|00|E|00|5|00|A|00|3|00|4|00|F|00|A|00|9|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q132>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x007\x003\x00B\x00A\x00E\x00F\x00A\x00-\x00E\x00E\x006\x005\x00-\x004\x009\x004\x00D\x00-\x00B\x00E\x00D\x00B\x00-\x00D\x00D\x003\x00E\x005\x00A\x003\x004\x00F\x00A\x009\x008\x00(}\x00)?(?P=q132)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14225 WEB-ACTIVEX Aurigma unspecified 69 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E4C97925-C194-4551-8831-EABBD0280885"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q135>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E4C97925-C194-4551-8831-EABBD0280885\s*}?\s*(?P=q135)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14226 WEB-ACTIVEX Aurigma unspecified 70 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|4|00|C|00|9|00|7|00|9|00|2|00|5|00|-|00|C|00|1|00|9|00|4|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|8|00|3|00|1|00|-|00|E|00|A|00|B|00|B|00|D|00|0|00|2|00|8|00|0|00|8|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q136>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x004\x00C\x009\x007\x009\x002\x005\x00-\x00C\x001\x009\x004\x00-\x004\x005\x005\x001\x00-\x008\x008\x003\x001\x00-\x00E\x00A\x00B\x00B\x00D\x000\x002\x008\x000\x008\x008\x005\x00(}\x00)?(?P=q136)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14227 WEB-ACTIVEX Aurigma unspecified 70 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CC7DA087-B7F4-4829-B038-DA01DFB5D879"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q137>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CC7DA087-B7F4-4829-B038-DA01DFB5D879\s*}?\s*(?P=q137)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14228 WEB-ACTIVEX Aurigma unspecified 71 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|C|00|7|00|D|00|A|00|0|00|8|00|7|00|-|00|B|00|7|00|F|00|4|00|-|00|4|00|8|00|2|00|9|00|-|00|B|00|0|00|3|00|8|00|-|00|D|00|A|00|0|00|1|00|D|00|F|00|B|00|5|00|D|00|8|00|7|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q138>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00C\x007\x00D\x00A\x000\x008\x007\x00-\x00B\x007\x00F\x004\x00-\x004\x008\x002\x009\x00-\x00B\x000\x003\x008\x00-\x00D\x00A\x000\x001\x00D\x00F\x00B\x005\x00D\x008\x007\x009\x00(}\x00)?(?P=q138)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14229 WEB-ACTIVEX Aurigma unspecified 71 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 30826 attempted-user 2007-1682 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(BuildPath|GetDriveName|DriveExists|DeleteFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14231 WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX clsid access support.softartisans.com/Support-114.aspx 30826 attempted-user 2007-1682 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SoftArtisans.FileManager"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22SoftArtisans\.FileManager\x22|\x27SoftArtisans\.FileManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*|.*(?P=v)\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SoftArtisans\.FileManager\x22|\x27SoftArtisans\.FileManager\x27)\s*\)(\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*|.*(?P=n)\s*\.\s*(BuildPath|GetDriveName|DriveExists|DeleteFile)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14233 WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX function call access support.softartisans.com/Support-114.aspx 30826 attempted-user 2007-1682 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|o|00|f|00|t|00|A|00|r|00|t|00|i|00|s|00|a|00|n|00|s|00|.|00|F|00|i|00|l|00|e|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)S\x00o\x00f\x00t\x00A\x00r\x00t\x00i\x00s\x00a\x00n\x00s\x00.\x00F\x00i\x00l\x00e\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)S\x00o\x00f\x00t\x00A\x00r\x00t\x00i\x00s\x00a\x00n\x00s\x00.\x00F\x00i\x00l\x00e\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14234 WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX function call unicode access support.softartisans.com/Support-114.aspx 30891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F4A06697-C0E7-4BB6-8C3B-E01016A4408B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4A06697-C0E7-4BB6-8C3B-E01016A4408B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RunApp|CreateURLShortcut)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4A06697-C0E7-4BB6-8C3B-E01016A4408B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(RunApp|CreateURLShortcut))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14239 WEB-ACTIVEX Friendly Technologies fwRemoteConfig ActiveX clsid access 30891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|4|00|A|00|0|00|6|00|6|00|9|00|7|00|-|00|C|00|0|00|E|00|7|00|-|00|4|00|B|00|B|00|6|00|-|00|8|00|C|00|3|00|B|00|-|00|E|00|0|00|1|00|0|00|1|00|6|00|A|00|4|00|4|00|0|00|8|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x004\x00A\x000\x006\x006\x009\x007\x00-\x00C\x000\x00E\x007\x00-\x004\x00B\x00B\x006\x00-\x008\x00C\x003\x00B\x00-\x00E\x000\x001\x000\x001\x006\x00A\x004\x004\x000\x008\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14240 WEB-ACTIVEX Friendly Technologies fwRemoteConfig ActiveX clsid unicode access 30891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FwRemoteCfg.RemoteCfg"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22FwRemoteCfg\.RemoteCfg\x22|\x27FwRemoteCfg\.RemoteCfg\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(RunApp|CreateURLShortcut)\s*|.*(?P=v)\s*\.\s*(RunApp|CreateURLShortcut)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FwRemoteCfg\.RemoteCfg\x22|\x27FwRemoteCfg\.RemoteCfg\x27)\s*\)(\s*\.\s*(RunApp|CreateURLShortcut)\s*|.*(?P=n)\s*\.\s*(RunApp|CreateURLShortcut)\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14241 WEB-ACTIVEX Friendly Technologies fwRemoteConfig ActiveX function call access 30891 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|w|00|R|00|e|00|m|00|o|00|t|00|e|00|C|00|f|00|g|00|.|00|R|00|e|00|m|00|o|00|t|00|e|00|C|00|f|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)F\x00w\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)F\x00w\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00C\x00f\x00g\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14242 WEB-ACTIVEX Friendly Technologies fwRemoteConfig ActiveX function call unicode access 30922 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"442599A9-EB41-4F1F-B999-737BC587F314"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*442599A9-EB41-4F1F-B999-737BC587F314\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Location)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*442599A9-EB41-4F1F-B999-737BC587F314\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Location))\s*=/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14243 WEB-ACTIVEX Najdi.si Toolbar ActiveX clsid access 30922 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|2|00|5|00|9|00|9|00|A|00|9|00|-|00|E|00|B|00|4|00|1|00|-|00|4|00|F|00|1|00|F|00|-|00|B|00|9|00|9|00|9|00|-|00|7|00|3|00|7|00|B|00|C|00|5|00|8|00|7|00|F|00|3|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x002\x005\x009\x009\x00A\x009\x00-\x00E\x00B\x004\x001\x00-\x004\x00F\x001\x00F\x00-\x00B\x009\x009\x009\x00-\x007\x003\x007\x00B\x00C\x005\x008\x007\x00F\x003\x001\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14244 WEB-ACTIVEX Najdi.si Toolbar ActiveX clsid unicode access 30922 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Interseek.IEToolbar"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Interseek\.IEToolbar\x22|\x27Interseek\.IEToolbar\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Location\s*|.*(?P=v)\s*\.\s*Location\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Interseek\.IEToolbar\x22|\x27Interseek\.IEToolbar\x27)\s*\)(\s*\.\s*Location\s*|.*(?P=n)\s*\.\s*Location)\s*=/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14245 WEB-ACTIVEX Najdi.si Toolbar ActiveX function call access 30922 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|n|00|t|00|e|00|r|00|s|00|e|00|e|00|k|00|.|00|I|00|E|00|T|00|o|00|o|00|l|00|b|00|a|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)I\x00n\x00t\x00e\x00r\x00s\x00e\x00e\x00k\x00.\x00I\x00E\x00T\x00o\x00o\x00l\x00b\x00a\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)I\x00n\x00t\x00e\x00r\x00s\x00e\x00e\x00k\x00.\x00I\x00E\x00T\x00o\x00o\x00l\x00b\x00a\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14246 WEB-ACTIVEX Najdi.si Toolbar ActiveX function call unicode access 30424 attempted-user 2008-3430 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CA06EE71-7348-44C4-9540-AAF0E6BD1515"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA06EE71-7348-44C4-9540-AAF0E6BD1515\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BgColor)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA06EE71-7348-44C4-9540-AAF0E6BD1515\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(BgColor))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14247 WEB-ACTIVEX Eyeball MessengerSDK ActiveX clsid access 30424 attempted-user 2008-3430 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|A|00|0|00|6|00|E|00|E|00|7|00|1|00|-|00|7|00|3|00|4|00|8|00|-|00|4|00|4|00|C|00|4|00|-|00|9|00|5|00|4|00|0|00|-|00|A|00|A|00|F|00|0|00|E|00|6|00|B|00|D|00|1|00|5|00|1|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x000\x006\x00E\x00E\x007\x001\x00-\x007\x003\x004\x008\x00-\x004\x004\x00C\x004\x00-\x009\x005\x004\x000\x00-\x00A\x00A\x00F\x000\x00E\x006\x00B\x00D\x001\x005\x001\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14248 WEB-ACTIVEX Eyeball MessengerSDK ActiveX clsid unicode access 30424 attempted-user 2008-3430 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EyeballSdk.VideoWindowCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22EyeballSdk\.VideoWindowCtl\x22|\x27EyeballSdk\.VideoWindowCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BgColor\s*|.*(?P=v)\s*\.\s*BgColor\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EyeballSdk\.VideoWindowCtl\x22|\x27EyeballSdk\.VideoWindowCtl\x27)\s*\)(\s*\.\s*BgColor\s*|.*(?P=n)\s*\.\s*BgColor\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14249 WEB-ACTIVEX Eyeball MessengerSDK ActiveX function call access 30424 attempted-user 2008-3430 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|y|00|e|00|b|00|a|00|l|00|l|00|S|00|d|00|k|00|.|00|V|00|i|00|d|00|e|00|o|00|W|00|i|00|n|00|d|00|o|00|w|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00y\x00e\x00b\x00a\x00l\x00l\x00S\x00d\x00k\x00.\x00V\x00i\x00d\x00e\x00o\x00W\x00i\x00n\x00d\x00o\x00w\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00y\x00e\x00b\x00a\x00l\x00l\x00S\x00d\x00k\x00.\x00V\x00i\x00d\x00e\x00o\x00W\x00i\x00n\x00d\x00o\x00w\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14250 WEB-ACTIVEX Eyeball MessengerSDK ActiveX function call unicode access attempted-user 2008-3014 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14251, service http, policy balanced-ips drop, policy security-ips drop; 14251 EXPLOIT Microsoft GDI malformed metarecord buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-052.mspx attempted-user 2008-3012 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14259, service http, policy balanced-ips drop, policy security-ips drop; 14259 WEB-CLIENT Microsoft GDI EMF malformed file buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-052.mspx 31069 attempted-user 2008-3957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A1E75357-881A-419E-83E2-BB16DB197C68"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1E75357-881A-419E-83E2-BB16DB197C68\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Save)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1E75357-881A-419E-83E2-BB16DB197C68\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Save))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14266 WEB-ACTIVEX Microsoft Windows Image Acquisition Logger ActiveX clsid access 31069 attempted-user 2008-3957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|1|00|E|00|7|00|5|00|3|00|5|00|7|00|-|00|8|00|8|00|1|00|A|00|-|00|4|00|1|00|9|00|E|00|-|00|8|00|3|00|E|00|2|00|-|00|B|00|B|00|1|00|6|00|D|00|B|00|1|00|9|00|7|00|C|00|6|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x001\x00E\x007\x005\x003\x005\x007\x00-\x008\x008\x001\x00A\x00-\x004\x001\x009\x00E\x00-\x008\x003\x00E\x002\x00-\x00B\x00B\x001\x006\x00D\x00B\x001\x009\x007\x00C\x006\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14267 WEB-ACTIVEX Microsoft Windows Image Acquisition Logger ActiveX clsid unicode access 31069 attempted-user 2008-3957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WiaLog"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22WiaLog\x22|\x27WiaLog\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Save\s*|.*(?P=v)\s*\.\s*Save\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WiaLog\x22|\x27WiaLog\x27)\s*\)(\s*\.\s*Save\s*|.*(?P=n)\s*\.\s*Save\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14268 WEB-ACTIVEX Microsoft Windows Image Acquisition Logger ActiveX function call access 31069 attempted-user 2008-3957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"W|00|i|00|a|00|L|00|o|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)W\x00i\x00a\x00L\x00o\x00g\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)W\x00i\x00a\x00L\x00o\x00g\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14269 WEB-ACTIVEX Microsoft Windows Image Acquisition Logger ActiveX function call unicode access 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0F748FDE-0597-443c-8596-71854C5EA20A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0F748FDE-0597-443c-8596-71854C5EA20A\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14270 WEB-ACTIVEX VieLib2.Vie2Locator ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|F|00|7|00|4|00|8|00|F|00|D|00|E|00|-|00|0|00|5|00|9|00|7|00|-|00|4|00|4|00|3|00|c|00|-|00|8|00|5|00|9|00|6|00|-|00|7|00|1|00|8|00|5|00|4|00|C|00|5|00|E|00|A|00|2|00|0|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00F\x007\x004\x008\x00F\x00D\x00E\x00-\x000\x005\x009\x007\x00-\x004\x004\x003\x00c\x00-\x008\x005\x009\x006\x00-\x007\x001\x008\x005\x004\x00C\x005\x00E\x00A\x002\x000\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14271 WEB-ACTIVEX VieLib2.Vie2Locator ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VieLib2.Vie2Locator"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VieLib2\.Vie2Locator\x22|\x27VieLib2\.Vie2Locator\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Locator\x22|\x27VieLib2\.Vie2Locator\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14272 WEB-ACTIVEX VieLib2.Vie2Locator ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|L|00|o|00|c|00|a|00|t|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00L\x00o\x00c\x00a\x00t\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00L\x00o\x00c\x00a\x00t\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14273 WEB-ACTIVEX VieLib2.Vie2Locator ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1AF378DE-4574-4bb0-A5DF-F78FCAD28707"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1AF378DE-4574-4bb0-A5DF-F78FCAD28707\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14274 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|A|00|F|00|3|00|7|00|8|00|D|00|E|00|-|00|4|00|5|00|7|00|4|00|-|00|4|00|b|00|b|00|0|00|-|00|A|00|5|00|D|00|F|00|-|00|F|00|7|00|8|00|F|00|C|00|A|00|D|00|2|00|8|00|7|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00A\x00F\x003\x007\x008\x00D\x00E\x00-\x004\x005\x007\x004\x00-\x004\x00b\x00b\x000\x00-\x00A\x005\x00D\x00F\x00-\x00F\x007\x008\x00F\x00C\x00A\x00D\x002\x008\x007\x000\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14275 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vie2Lib.Vie2LinuxVolume"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14276 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|e|00|2|00|L|00|i|00|b|00|.|00|V|00|i|00|e|00|2|00|L|00|i|00|n|00|u|00|x|00|V|00|o|00|l|00|u|00|m|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14277 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7B9C5422-39AA-4c21-BEEF-645E42EB4529"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4c21-BEEF-645E42EB4529\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14278 WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|B|00|9|00|C|00|5|00|4|00|2|00|2|00|-|00|3|00|9|00|A|00|A|00|-|00|4|00|c|00|2|00|1|00|-|00|B|00|E|00|E|00|F|00|-|00|6|00|4|00|5|00|E|00|4|00|2|00|E|00|B|00|4|00|5|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00B\x009\x00C\x005\x004\x002\x002\x00-\x003\x009\x00A\x00A\x00-\x004\x00c\x002\x001\x00-\x00B\x00E\x00E\x00F\x00-\x006\x004\x005\x00E\x004\x002\x00E\x00B\x004\x005\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14279 WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VieLib2.Vie2Process"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14280 WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14281 WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AF13B07E-28A1-4CAC-9C9A-EC582E354A24"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14282 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|1|00|3|00|B|00|0|00|7|00|E|00|-|00|2|00|8|00|A|00|1|00|-|00|4|00|C|00|A|00|C|00|-|00|9|00|C|00|9|00|A|00|-|00|E|00|C|00|5|00|8|00|2|00|E|00|3|00|5|00|4|00|A|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00F\x001\x003\x00B\x000\x007\x00E\x00-\x002\x008\x00A\x001\x00-\x004\x00C\x00A\x00C\x00-\x009\x00C\x009\x00A\x00-\x00E\x00C\x005\x008\x002\x00E\x003\x005\x004\x00A\x002\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14283 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IntraProcessLogging.Logger"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14284 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|n|00|t|00|r|00|a|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|L|00|o|00|g|00|g|00|i|00|n|00|g|00|.|00|L|00|o|00|g|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14285 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"07051fd9-3e4e-4f79-b1ac-0a2f9338f806"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*07051fd9-3e4e-4f79-b1ac-0a2f9338f806\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14286 WEB-ACTIVEX VMClientHosts Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|7|00|0|00|5|00|1|00|f|00|d|00|9|00|-|00|3|00|e|00|4|00|e|00|-|00|4|00|f|00|7|00|9|00|-|00|b|00|1|00|a|00|c|00|-|00|0|00|a|00|2|00|f|00|9|00|3|00|3|00|8|00|f|00|8|00|0|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x007\x000\x005\x001\x00f\x00d\x009\x00-\x003\x00e\x004\x00e\x00-\x004\x00f\x007\x009\x00-\x00b\x001\x00a\x00c\x00-\x000\x00a\x002\x00f\x009\x003\x003\x008\x00f\x008\x000\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14287 WEB-ACTIVEX VMClientHosts Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VMClientHosts"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VMClientHosts\x22|\x27vmdbCOM\.VMClientHosts\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientHosts\x22|\x27vmdbCOM\.VMClientHosts\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14288 WEB-ACTIVEX VMClientHosts Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|H|00|o|00|s|00|t|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14289 WEB-ACTIVEX VMClientHosts Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"095DB814-94A0-4AD7-88C3-7DFBE688B12A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*095DB814-94A0-4AD7-88C3-7DFBE688B12A\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14290 WEB-ACTIVEX VhdCvtCom.DiskLibCreateParamObj ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|9|00|5|00|D|00|B|00|8|00|1|00|4|00|-|00|9|00|4|00|A|00|0|00|-|00|4|00|A|00|D|00|7|00|-|00|8|00|8|00|C|00|3|00|-|00|7|00|D|00|F|00|B|00|E|00|6|00|8|00|8|00|B|00|1|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x009\x005\x00D\x00B\x008\x001\x004\x00-\x009\x004\x00A\x000\x00-\x004\x00A\x00D\x007\x00-\x008\x008\x00C\x003\x00-\x007\x00D\x00F\x00B\x00E\x006\x008\x008\x00B\x001\x002\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14291 WEB-ACTIVEX VhdCvtCom.DiskLibCreateParamObj ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VhdCvtCom.DiskLibCreateParamObj"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VhdCvtCom\.DiskLibCreateParamObj\x22|\x27VhdCvtCom\.DiskLibCreateParamObj\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VhdCvtCom\.DiskLibCreateParamObj\x22|\x27VhdCvtCom\.DiskLibCreateParamObj\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14292 WEB-ACTIVEX VhdCvtCom.DiskLibCreateParamObj ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|h|00|d|00|C|00|v|00|t|00|C|00|o|00|m|00|.|00|D|00|i|00|s|00|k|00|L|00|i|00|b|00|C|00|r|00|e|00|a|00|t|00|e|00|P|00|a|00|r|00|a|00|m|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00C\x00r\x00e\x00a\x00t\x00e\x00P\x00a\x00r\x00a\x00m\x00O\x00b\x00j\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00C\x00r\x00e\x00a\x00t\x00e\x00P\x00a\x00r\x00a\x00m\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14293 WEB-ACTIVEX VhdCvtCom.DiskLibCreateParamObj ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0ce412d9-4520-4e5a-893d-88b3a8f29c97"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0ce412d9-4520-4e5a-893d-88b3a8f29c97\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14294 WEB-ACTIVEX RemoteDirDlg Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|c|00|e|00|4|00|1|00|2|00|d|00|9|00|-|00|4|00|5|00|2|00|0|00|-|00|4|00|e|00|5|00|a|00|-|00|8|00|9|00|3|00|d|00|-|00|8|00|8|00|b|00|3|00|a|00|8|00|f|00|2|00|9|00|c|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00c\x00e\x004\x001\x002\x00d\x009\x00-\x004\x005\x002\x000\x00-\x004\x00e\x005\x00a\x00-\x008\x009\x003\x00d\x00-\x008\x008\x00b\x003\x00a\x008\x00f\x002\x009\x00c\x009\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14295 WEB-ACTIVEX RemoteDirDlg Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.RemoteDirDlg"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.RemoteDirDlg\x22|\x27Vmappsdk\.RemoteDirDlg\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.RemoteDirDlg\x22|\x27Vmappsdk\.RemoteDirDlg\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14296 WEB-ACTIVEX RemoteDirDlg Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|R|00|e|00|m|00|o|00|t|00|e|00|D|00|i|00|r|00|D|00|l|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00D\x00i\x00r\x00D\x00l\x00g\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00D\x00i\x00r\x00D\x00l\x00g\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14297 WEB-ACTIVEX RemoteDirDlg Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"13E86A0C-FE7D-4573-A41D-6B5B00CCFE22"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*13E86A0C-FE7D-4573-A41D-6B5B00CCFE22\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14298 WEB-ACTIVEX TeamListViewWnd Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|3|00|E|00|8|00|6|00|A|00|0|00|C|00|-|00|F|00|E|00|7|00|D|00|-|00|4|00|5|00|7|00|3|00|-|00|A|00|4|00|1|00|D|00|-|00|6|00|B|00|5|00|B|00|0|00|0|00|C|00|C|00|F|00|E|00|2|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x003\x00E\x008\x006\x00A\x000\x00C\x00-\x00F\x00E\x007\x00D\x00-\x004\x005\x007\x003\x00-\x00A\x004\x001\x00D\x00-\x006\x00B\x005\x00B\x000\x000\x00C\x00C\x00F\x00E\x002\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14299 WEB-ACTIVEX TeamListViewWnd Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.TeamListViewWnd"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.TeamListViewWnd\x22|\x27Vmappsdk\.TeamListViewWnd\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.TeamListViewWnd\x22|\x27Vmappsdk\.TeamListViewWnd\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14300 WEB-ACTIVEX TeamListViewWnd Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|T|00|e|00|a|00|m|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|W|00|n|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00T\x00e\x00a\x00m\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00T\x00e\x00a\x00m\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14301 WEB-ACTIVEX TeamListViewWnd Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"164bdf7b-5c67-4daf-85a3-c6c927cb3d36"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*164bdf7b-5c67-4daf-85a3-c6c927cb3d36\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14302 WEB-ACTIVEX VMStatusbarCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|6|00|4|00|b|00|d|00|f|00|7|00|b|00|-|00|5|00|c|00|6|00|7|00|-|00|4|00|d|00|a|00|f|00|-|00|8|00|5|00|a|00|3|00|-|00|c|00|6|00|c|00|9|00|2|00|7|00|c|00|b|00|3|00|d|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x006\x004\x00b\x00d\x00f\x007\x00b\x00-\x005\x00c\x006\x007\x00-\x004\x00d\x00a\x00f\x00-\x008\x005\x00a\x003\x00-\x00c\x006\x00c\x009\x002\x007\x00c\x00b\x003\x00d\x003\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14303 WEB-ACTIVEX VMStatusbarCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VMStatusbarCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VMStatusbarCtl\x22|\x27Vmappsdk\.VMStatusbarCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMStatusbarCtl\x22|\x27Vmappsdk\.VMStatusbarCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14304 WEB-ACTIVEX VMStatusbarCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|S|00|t|00|a|00|t|00|u|00|s|00|b|00|a|00|r|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00t\x00a\x00t\x00u\x00s\x00b\x00a\x00r\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00t\x00a\x00t\x00u\x00s\x00b\x00a\x00r\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14305 WEB-ACTIVEX VMStatusbarCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"17376C4D-A75F-4535-82EB-FF80EE02E405"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17376C4D-A75F-4535-82EB-FF80EE02E405\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14306 WEB-ACTIVEX Vmc2vmx.CoVPCConfiguration ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|7|00|3|00|7|00|6|00|C|00|4|00|D|00|-|00|A|00|7|00|5|00|F|00|-|00|4|00|5|00|3|00|5|00|-|00|8|00|2|00|E|00|B|00|-|00|F|00|F|00|8|00|0|00|E|00|E|00|0|00|2|00|E|00|4|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x007\x003\x007\x006\x00C\x004\x00D\x00-\x00A\x007\x005\x00F\x00-\x004\x005\x003\x005\x00-\x008\x002\x00E\x00B\x00-\x00F\x00F\x008\x000\x00E\x00E\x000\x002\x00E\x004\x000\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14307 WEB-ACTIVEX Vmc2vmx.CoVPCConfiguration ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmc2vmx.CoVPCConfiguration"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmc2vmx\.CoVPCConfiguration\x22|\x27Vmc2vmx\.CoVPCConfiguration\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmc2vmx\.CoVPCConfiguration\x22|\x27Vmc2vmx\.CoVPCConfiguration\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14308 WEB-ACTIVEX Vmc2vmx.CoVPCConfiguration ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|c|00|2|00|v|00|m|00|x|00|.|00|C|00|o|00|V|00|P|00|C|00|C|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00C\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00a\x00t\x00i\x00o\x00n\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00C\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14309 WEB-ACTIVEX Vmc2vmx.CoVPCConfiguration ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1c4387ae-2b23-4c45-8bc6-c1dfbddfb249"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1c4387ae-2b23-4c45-8bc6-c1dfbddfb249\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14310 WEB-ACTIVEX VmdbUpdate Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|c|00|4|00|3|00|8|00|7|00|a|00|e|00|-|00|2|00|b|00|2|00|3|00|-|00|4|00|c|00|4|00|5|00|-|00|8|00|b|00|c|00|6|00|-|00|c|00|1|00|d|00|f|00|b|00|d|00|d|00|f|00|b|00|2|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00c\x004\x003\x008\x007\x00a\x00e\x00-\x002\x00b\x002\x003\x00-\x004\x00c\x004\x005\x00-\x008\x00b\x00c\x006\x00-\x00c\x001\x00d\x00f\x00b\x00d\x00d\x00f\x00b\x002\x004\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14311 WEB-ACTIVEX VmdbUpdate Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbUpdate"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbUpdate\x22|\x27vmdbCOM\.VmdbUpdate\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbUpdate\x22|\x27vmdbCOM\.VmdbUpdate\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14312 WEB-ACTIVEX VmdbUpdate Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|U|00|p|00|d|00|a|00|t|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14313 WEB-ACTIVEX VmdbUpdate Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1dd25558-dda3-476a-a81c-a07b62f33725"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1dd25558-dda3-476a-a81c-a07b62f33725\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14314 WEB-ACTIVEX VMWare unspecified 1 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|d|00|d|00|2|00|5|00|5|00|5|00|8|00|-|00|d|00|d|00|a|00|3|00|-|00|4|00|7|00|6|00|a|00|-|00|a|00|8|00|1|00|c|00|-|00|a|00|0|00|7|00|b|00|6|00|2|00|f|00|3|00|3|00|7|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00d\x00d\x002\x005\x005\x005\x008\x00-\x00d\x00d\x00a\x003\x00-\x004\x007\x006\x00a\x00-\x00a\x008\x001\x00c\x00-\x00a\x000\x007\x00b\x006\x002\x00f\x003\x003\x007\x002\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14315 WEB-ACTIVEX VMWare unspecified 1 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"22ff5311-53a4-4335-a2d9-b75e5731bbab"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*22ff5311-53a4-4335-a2d9-b75e5731bbab\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14316 WEB-ACTIVEX VmdbExecuteError Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|f|00|f|00|5|00|3|00|1|00|1|00|-|00|5|00|3|00|a|00|4|00|-|00|4|00|3|00|3|00|5|00|-|00|a|00|2|00|d|00|9|00|-|00|b|00|7|00|5|00|e|00|5|00|7|00|3|00|1|00|b|00|b|00|a|00|b|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x002\x00f\x00f\x005\x003\x001\x001\x00-\x005\x003\x00a\x004\x00-\x004\x003\x003\x005\x00-\x00a\x002\x00d\x009\x00-\x00b\x007\x005\x00e\x005\x007\x003\x001\x00b\x00b\x00a\x00b\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14317 WEB-ACTIVEX VmdbExecuteError Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VmdbCOM.VmdbExecuteError"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VmdbCOM\.VmdbExecuteError\x22|\x27VmdbCOM\.VmdbExecuteError\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VmdbExecuteError\x22|\x27VmdbCOM\.VmdbExecuteError\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14318 WEB-ACTIVEX VmdbExecuteError Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|E|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00x\x00e\x00c\x00u\x00t\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14319 WEB-ACTIVEX VmdbExecuteError Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"271DC252-6FE1-4D59-9053-E4CF50AB99DE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*271DC252-6FE1-4D59-9053-E4CF50AB99DE\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14320 WEB-ACTIVEX VMWare unspecified 2 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|7|00|1|00|D|00|C|00|2|00|5|00|2|00|-|00|6|00|F|00|E|00|1|00|-|00|4|00|D|00|5|00|9|00|-|00|9|00|0|00|5|00|3|00|-|00|E|00|4|00|C|00|F|00|5|00|0|00|A|00|B|00|9|00|9|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x007\x001\x00D\x00C\x002\x005\x002\x00-\x006\x00F\x00E\x001\x00-\x004\x00D\x005\x009\x00-\x009\x000\x005\x003\x00-\x00E\x004\x00C\x00F\x005\x000\x00A\x00B\x009\x009\x00D\x00E\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14321 WEB-ACTIVEX VMWare unspecified 2 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"27602AF3-CEFF-4962-BE29-6FB66BCB9297"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*27602AF3-CEFF-4962-BE29-6FB66BCB9297\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14322 WEB-ACTIVEX reconfig.SysImageUti ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|7|00|6|00|0|00|2|00|A|00|F|00|3|00|-|00|C|00|E|00|F|00|F|00|-|00|4|00|9|00|6|00|2|00|-|00|B|00|E|00|2|00|9|00|-|00|6|00|F|00|B|00|6|00|6|00|B|00|C|00|B|00|9|00|2|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x007\x006\x000\x002\x00A\x00F\x003\x00-\x00C\x00E\x00F\x00F\x00-\x004\x009\x006\x002\x00-\x00B\x00E\x002\x009\x00-\x006\x00F\x00B\x006\x006\x00B\x00C\x00B\x009\x002\x009\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14323 WEB-ACTIVEX reconfig.SysImageUti ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"reconfig.SysImageUti"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22reconfig\.SysImageUti\x22|\x27reconfig\.SysImageUti\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.SysImageUti\x22|\x27reconfig\.SysImageUti\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14324 WEB-ACTIVEX reconfig.SysImageUti ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|S|00|y|00|s|00|I|00|m|00|a|00|g|00|e|00|U|00|t|00|i|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00I\x00m\x00a\x00g\x00e\x00U\x00t\x00i\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00I\x00m\x00a\x00g\x00e\x00U\x00t\x00i\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14325 WEB-ACTIVEX reconfig.SysImageUti ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2c10a98f-d64f-43b4-bed6-dd0e1bf2074c"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2c10a98f-d64f-43b4-bed6-dd0e1bf2074c\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14326 WEB-ACTIVEX Microsoft Visual Database Tools Query Designer V7.0 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|c|00|1|00|0|00|a|00|9|00|8|00|f|00|-|00|d|00|6|00|4|00|f|00|-|00|4|00|3|00|b|00|4|00|-|00|b|00|e|00|d|00|6|00|-|00|d|00|d|00|0|00|e|00|1|00|b|00|f|00|2|00|0|00|7|00|4|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00c\x001\x000\x00a\x009\x008\x00f\x00-\x00d\x006\x004\x00f\x00-\x004\x003\x00b\x004\x00-\x00b\x00e\x00d\x006\x00-\x00d\x00d\x000\x00e\x001\x00b\x00f\x002\x000\x007\x004\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14327 WEB-ACTIVEX Microsoft Visual Database Tools Query Designer V7.0 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MSVDTQueryDesigne"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSVDTQueryDesigne\x22|\x27MSVDTQueryDesigne\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSVDTQueryDesigne\x22|\x27MSVDTQueryDesigne\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14328 WEB-ACTIVEX Microsoft Visual Database Tools Query Designer V7.0 ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|S|00|V|00|D|00|T|00|Q|00|u|00|e|00|r|00|y|00|D|00|e|00|s|00|i|00|g|00|n|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)M\x00S\x00V\x00D\x00T\x00Q\x00u\x00e\x00r\x00y\x00D\x00e\x00s\x00i\x00g\x00n\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)M\x00S\x00V\x00D\x00T\x00Q\x00u\x00e\x00r\x00y\x00D\x00e\x00s\x00i\x00g\x00n\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14329 WEB-ACTIVEX Microsoft Visual Database Tools Query Designer V7.0 ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2e1c00eb-6468-40ae-94b3-2c8d80080f21"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2e1c00eb-6468-40ae-94b3-2c8d80080f21\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14330 WEB-ACTIVEX VmdbContext Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|e|00|1|00|c|00|0|00|0|00|e|00|b|00|-|00|6|00|4|00|6|00|8|00|-|00|4|00|0|00|a|00|e|00|-|00|9|00|4|00|b|00|3|00|-|00|2|00|c|00|8|00|d|00|8|00|0|00|0|00|8|00|0|00|f|00|2|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00e\x001\x00c\x000\x000\x00e\x00b\x00-\x006\x004\x006\x008\x00-\x004\x000\x00a\x00e\x00-\x009\x004\x00b\x003\x00-\x002\x00c\x008\x00d\x008\x000\x000\x008\x000\x00f\x002\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14331 WEB-ACTIVEX VmdbContext Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbContext"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbContext\x22|\x27vmdbCOM\.VmdbContext\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbContext\x22|\x27vmdbCOM\.VmdbContext\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14332 WEB-ACTIVEX VmdbContext Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|C|00|o|00|n|00|t|00|e|00|x|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00o\x00n\x00t\x00e\x00x\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00o\x00n\x00t\x00e\x00x\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14333 WEB-ACTIVEX VmdbContext Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"315cb05d-691f-4208-af14-0fa2fbb2cad6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*315cb05d-691f-4208-af14-0fa2fbb2cad6\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14334 WEB-ACTIVEX VMClientVMs Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|1|00|5|00|c|00|b|00|0|00|5|00|d|00|-|00|6|00|9|00|1|00|f|00|-|00|4|00|2|00|0|00|8|00|-|00|a|00|f|00|1|00|4|00|-|00|0|00|f|00|a|00|2|00|f|00|b|00|b|00|2|00|c|00|a|00|d|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x001\x005\x00c\x00b\x000\x005\x00d\x00-\x006\x009\x001\x00f\x00-\x004\x002\x000\x008\x00-\x00a\x00f\x001\x004\x00-\x000\x00f\x00a\x002\x00f\x00b\x00b\x002\x00c\x00a\x00d\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14335 WEB-ACTIVEX VMClientVMs Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VMClientVMs"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VMClientVMs\x22|\x27vmdbCOM\.VMClientVMs\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientVMs\x22|\x27vmdbCOM\.VMClientVMs\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14336 WEB-ACTIVEX VMClientVMs Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|V|00|M|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14337 WEB-ACTIVEX VMClientVMs Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"37592010-a488-45dd-bf6d-00cc1b6fc0ce"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37592010-a488-45dd-bf6d-00cc1b6fc0ce\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14338 WEB-ACTIVEX vmappPropObj Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|7|00|5|00|9|00|2|00|0|00|1|00|0|00|-|00|a|00|4|00|8|00|8|00|-|00|4|00|5|00|d|00|d|00|-|00|b|00|f|00|6|00|d|00|-|00|0|00|0|00|c|00|c|00|1|00|b|00|6|00|f|00|c|00|0|00|c|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x005\x009\x002\x000\x001\x000\x00-\x00a\x004\x008\x008\x00-\x004\x005\x00d\x00d\x00-\x00b\x00f\x006\x00d\x00-\x000\x000\x00c\x00c\x001\x00b\x006\x00f\x00c\x000\x00c\x00e\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14339 WEB-ACTIVEX vmappPropObj Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.VmappPropObj"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.VmappPropObj\x22|\x27vmappsdk\.VmappPropObj\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.VmappPropObj\x22|\x27vmappsdk\.VmappPropObj\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14340 WEB-ACTIVEX vmappPropObj Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14341 WEB-ACTIVEX vmappPropObj Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3cdeda3a-114b-455e-8c8b-224db4bf29c2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3cdeda3a-114b-455e-8c8b-224db4bf29c2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14342 WEB-ACTIVEX VMWare unspecified 3 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|c|00|d|00|e|00|d|00|a|00|3|00|a|00|-|00|1|00|1|00|4|00|b|00|-|00|4|00|5|00|5|00|e|00|-|00|8|00|c|00|8|00|b|00|-|00|2|00|2|00|4|00|d|00|b|00|4|00|b|00|f|00|2|00|9|00|c|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00c\x00d\x00e\x00d\x00a\x003\x00a\x00-\x001\x001\x004\x00b\x00-\x004\x005\x005\x00e\x00-\x008\x00c\x008\x00b\x00-\x002\x002\x004\x00d\x00b\x004\x00b\x00f\x002\x009\x00c\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14343 WEB-ACTIVEX VMWare unspecified 3 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3d41639a-88cc-43d2-b6cb-2ce98a24509d"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3d41639a-88cc-43d2-b6cb-2ce98a24509d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14344 WEB-ACTIVEX VMMsg Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|d|00|4|00|1|00|6|00|3|00|9|00|a|00|-|00|8|00|8|00|c|00|c|00|-|00|4|00|3|00|d|00|2|00|-|00|b|00|6|00|c|00|b|00|-|00|2|00|c|00|e|00|9|00|8|00|a|00|2|00|4|00|5|00|0|00|9|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00d\x004\x001\x006\x003\x009\x00a\x00-\x008\x008\x00c\x00c\x00-\x004\x003\x00d\x002\x00-\x00b\x006\x00c\x00b\x00-\x002\x00c\x00e\x009\x008\x00a\x002\x004\x005\x000\x009\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14345 WEB-ACTIVEX VMMsg Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VMMsg"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VMMsg\x22|\x27Vmappsdk\.VMMsg\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMMsg\x22|\x27Vmappsdk\.VMMsg\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14346 WEB-ACTIVEX VMMsg Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|M|00|s|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00M\x00s\x00g\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00M\x00s\x00g\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14347 WEB-ACTIVEX VMMsg Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3ddf644a-0e1a-4543-9595-4b917707a9a7"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3ddf644a-0e1a-4543-9595-4b917707a9a7\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14348 WEB-ACTIVEX VMWare unspecified 4 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|d|00|d|00|f|00|6|00|4|00|4|00|a|00|-|00|0|00|e|00|1|00|a|00|-|00|4|00|5|00|4|00|3|00|-|00|9|00|5|00|9|00|5|00|-|00|4|00|b|00|9|00|1|00|7|00|7|00|0|00|7|00|a|00|9|00|a|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00d\x00d\x00f\x006\x004\x004\x00a\x00-\x000\x00e\x001\x00a\x00-\x004\x005\x004\x003\x00-\x009\x005\x009\x005\x00-\x004\x00b\x009\x001\x007\x007\x000\x007\x00a\x009\x00a\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14349 WEB-ACTIVEX VMWare unspecified 4 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"41DF0779-3632-4790-B40F-C44CFCF55CB6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*41DF0779-3632-4790-B40F-C44CFCF55CB6\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14350 WEB-ACTIVEX reconfig.PopulatedDi ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|D|00|F|00|0|00|7|00|7|00|9|00|-|00|3|00|6|00|3|00|2|00|-|00|4|00|7|00|9|00|0|00|-|00|B|00|4|00|0|00|F|00|-|00|C|00|4|00|4|00|C|00|F|00|C|00|F|00|5|00|5|00|C|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x00D\x00F\x000\x007\x007\x009\x00-\x003\x006\x003\x002\x00-\x004\x007\x009\x000\x00-\x00B\x004\x000\x00F\x00-\x00C\x004\x004\x00C\x00F\x00C\x00F\x005\x005\x00C\x00B\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14351 WEB-ACTIVEX reconfig.PopulatedDi ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"reconfig.PopulatedDi"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22reconfig\.PopulatedDi\x22|\x27reconfig\.PopulatedDi\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.PopulatedDi\x22|\x27reconfig\.PopulatedDi\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14352 WEB-ACTIVEX reconfig.PopulatedDi ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|P|00|o|00|p|00|u|00|l|00|a|00|t|00|e|00|d|00|D|00|i|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00P\x00o\x00p\x00u\x00l\x00a\x00t\x00e\x00d\x00D\x00i\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00P\x00o\x00p\x00u\x00l\x00a\x00t\x00e\x00d\x00D\x00i\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14353 WEB-ACTIVEX reconfig.PopulatedDi ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"420F0000-71EB-4757-B979-418F039FC1F9"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*420F0000-71EB-4757-B979-418F039FC1F9\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14354 WEB-ACTIVEX Elevated.ElevMgr ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|0|00|F|00|0|00|0|00|0|00|0|00|-|00|7|00|1|00|E|00|B|00|-|00|4|00|7|00|5|00|7|00|-|00|B|00|9|00|7|00|9|00|-|00|4|00|1|00|8|00|F|00|0|00|3|00|9|00|F|00|C|00|1|00|F|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x000\x00F\x000\x000\x000\x000\x00-\x007\x001\x00E\x00B\x00-\x004\x007\x005\x007\x00-\x00B\x009\x007\x009\x00-\x004\x001\x008\x00F\x000\x003\x009\x00F\x00C\x001\x00F\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14355 WEB-ACTIVEX Elevated.ElevMgr ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Elevated.ElevMgr"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Elevated\.ElevMgr\x22|\x27Elevated\.ElevMgr\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Elevated\.ElevMgr\x22|\x27Elevated\.ElevMgr\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14356 WEB-ACTIVEX Elevated.ElevMgr ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|l|00|e|00|v|00|a|00|t|00|e|00|d|00|.|00|E|00|l|00|e|00|v|00|M|00|g|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00E\x00l\x00e\x00v\x00M\x00g\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00E\x00l\x00e\x00v\x00M\x00g\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14357 WEB-ACTIVEX Elevated.ElevMgr ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4249304b-198d-4b81-8250-29445ed99c2f"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4249304b-198d-4b81-8250-29445ed99c2f\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14358 WEB-ACTIVEX VMWare unspecified 5 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|4|00|9|00|3|00|0|00|4|00|b|00|-|00|1|00|9|00|8|00|d|00|-|00|4|00|b|00|8|00|1|00|-|00|8|00|2|00|5|00|0|00|-|00|2|00|9|00|4|00|4|00|5|00|e|00|d|00|9|00|9|00|c|00|2|00|f|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x004\x009\x003\x000\x004\x00b\x00-\x001\x009\x008\x00d\x00-\x004\x00b\x008\x001\x00-\x008\x002\x005\x000\x00-\x002\x009\x004\x004\x005\x00e\x00d\x009\x009\x00c\x002\x00f\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14359 WEB-ACTIVEX VMWare unspecified 5 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"44d188a8-f3c4-49fe-96eb-a416259d7c4a"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44d188a8-f3c4-49fe-96eb-a416259d7c4a\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14360 WEB-ACTIVEX HardwareCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|d|00|1|00|8|00|8|00|a|00|8|00|-|00|f|00|3|00|c|00|4|00|-|00|4|00|9|00|f|00|e|00|-|00|9|00|6|00|e|00|b|00|-|00|a|00|4|00|1|00|6|00|2|00|5|00|9|00|d|00|7|00|c|00|4|00|a|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x00d\x001\x008\x008\x00a\x008\x00-\x00f\x003\x00c\x004\x00-\x004\x009\x00f\x00e\x00-\x009\x006\x00e\x00b\x00-\x00a\x004\x001\x006\x002\x005\x009\x00d\x007\x00c\x004\x00a\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14361 WEB-ACTIVEX HardwareCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.HardwareCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.HardwareCtl\x22|\x27Vmappsdk\.HardwareCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.HardwareCtl\x22|\x27Vmappsdk\.HardwareCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14362 WEB-ACTIVEX HardwareCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|H|00|a|00|r|00|d|00|w|00|a|00|r|00|e|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00H\x00a\x00r\x00d\x00w\x00a\x00r\x00e\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00H\x00a\x00r\x00d\x00w\x00a\x00r\x00e\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14363 WEB-ACTIVEX HardwareCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"47266690-b412-4a6c-a072-2e97ce86a0b6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*47266690-b412-4a6c-a072-2e97ce86a0b6\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14364 WEB-ACTIVEX VMWare unspecified 6 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|2|00|6|00|6|00|6|00|9|00|0|00|-|00|b|00|4|00|1|00|2|00|-|00|4|00|a|00|6|00|c|00|-|00|a|00|0|00|7|00|2|00|-|00|2|00|e|00|9|00|7|00|c|00|e|00|8|00|6|00|a|00|0|00|b|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x002\x006\x006\x006\x009\x000\x00-\x00b\x004\x001\x002\x00-\x004\x00a\x006\x00c\x00-\x00a\x000\x007\x002\x00-\x002\x00e\x009\x007\x00c\x00e\x008\x006\x00a\x000\x00b\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14365 WEB-ACTIVEX VMWare unspecified 6 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"477ca8b0-4c2a-40c9-a440-28acb95cfad8"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*477ca8b0-4c2a-40c9-a440-28acb95cfad8\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14366 WEB-ACTIVEX VmdbQuery Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|7|00|c|00|a|00|8|00|b|00|0|00|-|00|4|00|c|00|2|00|a|00|-|00|4|00|0|00|c|00|9|00|-|00|a|00|4|00|4|00|0|00|-|00|2|00|8|00|a|00|c|00|b|00|9|00|5|00|c|00|f|00|a|00|d|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x007\x00c\x00a\x008\x00b\x000\x00-\x004\x00c\x002\x00a\x00-\x004\x000\x00c\x009\x00-\x00a\x004\x004\x000\x00-\x002\x008\x00a\x00c\x00b\x009\x005\x00c\x00f\x00a\x00d\x008\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14367 WEB-ACTIVEX VmdbQuery Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VmdbCOM.VmdbQuery"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VmdbCOM\.VmdbQuery\x22|\x27VmdbCOM\.VmdbQuery\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VmdbQuery\x22|\x27VmdbCOM\.VmdbQuery\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14368 WEB-ACTIVEX VmdbQuery Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|Q|00|u|00|e|00|r|00|y|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00Q\x00u\x00e\x00r\x00y\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00Q\x00u\x00e\x00r\x00y\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14369 WEB-ACTIVEX VmdbQuery Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"48a70f00-ae14-46ce-ac17-d2290d504b37"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*48a70f00-ae14-46ce-ac17-d2290d504b37\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14370 WEB-ACTIVEX vmappPropObj2 Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|8|00|a|00|7|00|0|00|f|00|0|00|0|00|-|00|a|00|e|00|1|00|4|00|-|00|4|00|6|00|c|00|e|00|-|00|a|00|c|00|1|00|7|00|-|00|d|00|2|00|2|00|9|00|0|00|d|00|5|00|0|00|4|00|b|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x008\x00a\x007\x000\x00f\x000\x000\x00-\x00a\x00e\x001\x004\x00-\x004\x006\x00c\x00e\x00-\x00a\x00c\x001\x007\x00-\x00d\x002\x002\x009\x000\x00d\x005\x000\x004\x00b\x003\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14371 WEB-ACTIVEX vmappPropObj2 Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.VmappPropObj2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.VmappPropObj2\x22|\x27vmappsdk\.VmappPropObj2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.VmappPropObj2\x22|\x27vmappsdk\.VmappPropObj2\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14372 WEB-ACTIVEX vmappPropObj2 Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|O|00|b|00|j|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x002\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00O\x00b\x00j\x002\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14373 WEB-ACTIVEX vmappPropObj2 Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"48e72e42-2d79-4d94-99f6-c859f3a46d42"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*48e72e42-2d79-4d94-99f6-c859f3a46d42\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14374 WEB-ACTIVEX VmappPoll Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|8|00|e|00|7|00|2|00|e|00|4|00|2|00|-|00|2|00|d|00|7|00|9|00|-|00|4|00|d|00|9|00|4|00|-|00|9|00|9|00|f|00|6|00|-|00|c|00|8|00|5|00|9|00|f|00|3|00|a|00|4|00|6|00|d|00|4|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x008\x00e\x007\x002\x00e\x004\x002\x00-\x002\x00d\x007\x009\x00-\x004\x00d\x009\x004\x00-\x009\x009\x00f\x006\x00-\x00c\x008\x005\x009\x00f\x003\x00a\x004\x006\x00d\x004\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14375 WEB-ACTIVEX VmappPoll Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.vmappPoll"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.vmappPoll\x22|\x27vmdbCOM\.vmappPoll\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.vmappPoll\x22|\x27vmdbCOM\.vmappPoll\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14376 WEB-ACTIVEX VmappPoll Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|v|00|m|00|a|00|p|00|p|00|P|00|o|00|l|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00v\x00m\x00a\x00p\x00p\x00P\x00o\x00l\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00v\x00m\x00a\x00p\x00p\x00P\x00o\x00l\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14377 WEB-ACTIVEX VmappPoll Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4cc34b9f-1536-4330-adfb-b0a68ce3d856"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4cc34b9f-1536-4330-adfb-b0a68ce3d856\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14378 WEB-ACTIVEX VMClient Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|c|00|c|00|3|00|4|00|b|00|9|00|f|00|-|00|1|00|5|00|3|00|6|00|-|00|4|00|3|00|3|00|0|00|-|00|a|00|d|00|f|00|b|00|-|00|b|00|0|00|a|00|6|00|8|00|c|00|e|00|3|00|d|00|8|00|5|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00c\x00c\x003\x004\x00b\x009\x00f\x00-\x001\x005\x003\x006\x00-\x004\x003\x003\x000\x00-\x00a\x00d\x00f\x00b\x00-\x00b\x000\x00a\x006\x008\x00c\x00e\x003\x00d\x008\x005\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14379 WEB-ACTIVEX VMClient Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VMClient"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VMClient\x22|\x27vmdbCOM\.VMClient\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClient\x22|\x27vmdbCOM\.VMClient\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14380 WEB-ACTIVEX VMClient Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14381 WEB-ACTIVEX VMClient Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5647DAF6-85BE-4173-88E7-749322B243BE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5647DAF6-85BE-4173-88E7-749322B243BE\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14382 WEB-ACTIVEX Pq2vcom.Pq2v ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|6|00|4|00|7|00|D|00|A|00|F|00|6|00|-|00|8|00|5|00|B|00|E|00|-|00|4|00|1|00|7|00|3|00|-|00|8|00|8|00|E|00|7|00|-|00|7|00|4|00|9|00|3|00|2|00|2|00|B|00|2|00|4|00|3|00|B|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x006\x004\x007\x00D\x00A\x00F\x006\x00-\x008\x005\x00B\x00E\x00-\x004\x001\x007\x003\x00-\x008\x008\x00E\x007\x00-\x007\x004\x009\x003\x002\x002\x00B\x002\x004\x003\x00B\x00E\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14383 WEB-ACTIVEX Pq2vcom.Pq2v ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Pq2vcom.Pq2v"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Pq2vcom\.Pq2v\x22|\x27Pq2vcom\.Pq2v\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Pq2vcom\.Pq2v\x22|\x27Pq2vcom\.Pq2v\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14384 WEB-ACTIVEX Pq2vcom.Pq2v ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|q|00|2|00|v|00|c|00|o|00|m|00|.|00|P|00|q|00|2|00|v|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)P\x00q\x002\x00v\x00c\x00o\x00m\x00.\x00P\x00q\x002\x00v\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)P\x00q\x002\x00v\x00c\x00o\x00m\x00.\x00P\x00q\x002\x00v\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14385 WEB-ACTIVEX Pq2vcom.Pq2v ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5a8cce1b-1845-4a4b-9b89-c5a97d2acae2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5a8cce1b-1845-4a4b-9b89-c5a97d2acae2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14386 WEB-ACTIVEX VmdbSchema Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|a|00|8|00|c|00|c|00|e|00|1|00|b|00|-|00|1|00|8|00|4|00|5|00|-|00|4|00|a|00|4|00|b|00|-|00|9|00|b|00|8|00|9|00|-|00|c|00|5|00|a|00|9|00|7|00|d|00|2|00|a|00|c|00|a|00|e|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00a\x008\x00c\x00c\x00e\x001\x00b\x00-\x001\x008\x004\x005\x00-\x004\x00a\x004\x00b\x00-\x009\x00b\x008\x009\x00-\x00c\x005\x00a\x009\x007\x00d\x002\x00a\x00c\x00a\x00e\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14387 WEB-ACTIVEX VmdbSchema Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbSchema"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbSchema\x22|\x27vmdbCOM\.VmdbSchema\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbSchema\x22|\x27vmdbCOM\.VmdbSchema\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14388 WEB-ACTIVEX VmdbSchema Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|S|00|c|00|h|00|e|00|m|00|a|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00S\x00c\x00h\x00e\x00m\x00a\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00S\x00c\x00h\x00e\x00m\x00a\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14389 WEB-ACTIVEX VmdbSchema Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1AF378DE-4574-4bb0-A5DF-F78FCAD28707"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1AF378DE-4574-4bb0-A5DF-F78FCAD28707\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14390 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|A|00|F|00|3|00|7|00|8|00|D|00|E|00|-|00|4|00|5|00|7|00|4|00|-|00|4|00|b|00|b|00|0|00|-|00|A|00|5|00|D|00|F|00|-|00|F|00|7|00|8|00|F|00|C|00|A|00|D|00|2|00|8|00|7|00|0|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00A\x00F\x003\x007\x008\x00D\x00E\x00-\x004\x005\x007\x004\x00-\x004\x00b\x00b\x000\x00-\x00A\x005\x00D\x00F\x00-\x00F\x007\x008\x00F\x00C\x00A\x00D\x002\x008\x007\x000\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14391 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vie2Lib.Vie2LinuxVolume"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vie2Lib\.Vie2LinuxVolume\x22|\x27Vie2Lib\.Vie2LinuxVolume\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14392 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|e|00|2|00|L|00|i|00|b|00|.|00|V|00|i|00|e|00|2|00|L|00|i|00|n|00|u|00|x|00|V|00|o|00|l|00|u|00|m|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00e\x002\x00L\x00i\x00b\x00.\x00V\x00i\x00e\x002\x00L\x00i\x00n\x00u\x00x\x00V\x00o\x00l\x00u\x00m\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14393 WEB-ACTIVEX Vie2Lib.Vie2LinuxVolume ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6874E949-7186-4308-A1B9-D55A91F60728"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6874E949-7186-4308-A1B9-D55A91F60728\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14394 WEB-ACTIVEX VixCOM.VixLib ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|8|00|7|00|4|00|E|00|9|00|4|00|9|00|-|00|7|00|1|00|8|00|6|00|-|00|4|00|3|00|0|00|8|00|-|00|A|00|1|00|B|00|9|00|-|00|D|00|5|00|5|00|A|00|9|00|1|00|F|00|6|00|0|00|7|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x007\x004\x00E\x009\x004\x009\x00-\x007\x001\x008\x006\x00-\x004\x003\x000\x008\x00-\x00A\x001\x00B\x009\x00-\x00D\x005\x005\x00A\x009\x001\x00F\x006\x000\x007\x002\x008\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14395 WEB-ACTIVEX VixCOM.VixLib ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VixCOM.VixLib"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VixCOM\.VixLib\x22|\x27VixCOM\.VixLib\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VixCOM\.VixLib\x22|\x27VixCOM\.VixLib\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14396 WEB-ACTIVEX VixCOM.VixLib ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|x|00|C|00|O|00|M|00|.|00|V|00|i|00|x|00|L|00|i|00|b|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00i\x00x\x00C\x00O\x00M\x00.\x00V\x00i\x00x\x00L\x00i\x00b\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00x\x00C\x00O\x00M\x00.\x00V\x00i\x00x\x00L\x00i\x00b\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14397 WEB-ACTIVEX VixCOM.VixLib ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"68F1E07B-609F-4b87-9D57-A879023A75FC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68F1E07B-609F-4b87-9D57-A879023A75FC\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14398 WEB-ACTIVEX vmappsdk.CuiObj ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|8|00|F|00|1|00|E|00|0|00|7|00|B|00|-|00|6|00|0|00|9|00|F|00|-|00|4|00|b|00|8|00|7|00|-|00|9|00|D|00|5|00|7|00|-|00|A|00|8|00|7|00|9|00|0|00|2|00|3|00|A|00|7|00|5|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x00F\x001\x00E\x000\x007\x00B\x00-\x006\x000\x009\x00F\x00-\x004\x00b\x008\x007\x00-\x009\x00D\x005\x007\x00-\x00A\x008\x007\x009\x000\x002\x003\x00A\x007\x005\x00F\x00C\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14399 WEB-ACTIVEX vmappsdk.CuiObj ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.CuiObj"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.CuiObj\x22|\x27vmappsdk\.CuiObj\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.CuiObj\x22|\x27vmappsdk\.CuiObj\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14400 WEB-ACTIVEX vmappsdk.CuiObj ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|C|00|u|00|i|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00i\x00O\x00b\x00j\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00i\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14401 WEB-ACTIVEX vmappsdk.CuiObj ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6b681417-abe9-46ca-9615-8b96ec724d0c"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6b681417-abe9-46ca-9615-8b96ec724d0c\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14402 WEB-ACTIVEX RemoteBrowseDlg Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|b|00|6|00|8|00|1|00|4|00|1|00|7|00|-|00|a|00|b|00|e|00|9|00|-|00|4|00|6|00|c|00|a|00|-|00|9|00|6|00|1|00|5|00|-|00|8|00|b|00|9|00|6|00|e|00|c|00|7|00|2|00|4|00|d|00|0|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00b\x006\x008\x001\x004\x001\x007\x00-\x00a\x00b\x00e\x009\x00-\x004\x006\x00c\x00a\x00-\x009\x006\x001\x005\x00-\x008\x00b\x009\x006\x00e\x00c\x007\x002\x004\x00d\x000\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14403 WEB-ACTIVEX RemoteBrowseDlg Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.RemoteBrowseDlg"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.RemoteBrowseDlg\x22|\x27Vmappsdk\.RemoteBrowseDlg\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.RemoteBrowseDlg\x22|\x27Vmappsdk\.RemoteBrowseDlg\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14404 WEB-ACTIVEX RemoteBrowseDlg Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|R|00|e|00|m|00|o|00|t|00|e|00|B|00|r|00|o|00|w|00|s|00|e|00|D|00|l|00|g|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00B\x00r\x00o\x00w\x00s\x00e\x00D\x00l\x00g\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00m\x00o\x00t\x00e\x00B\x00r\x00o\x00w\x00s\x00e\x00D\x00l\x00g\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14405 WEB-ACTIVEX RemoteBrowseDlg Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6bc34d15-ee92-46b3-8c6a-03de589ab727"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6bc34d15-ee92-46b3-8c6a-03de589ab727\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14406 WEB-ACTIVEX RegVmsCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|b|00|c|00|3|00|4|00|d|00|1|00|5|00|-|00|e|00|e|00|9|00|2|00|-|00|4|00|6|00|b|00|3|00|-|00|8|00|c|00|6|00|a|00|-|00|0|00|3|00|d|00|e|00|5|00|8|00|9|00|a|00|b|00|7|00|2|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00b\x00c\x003\x004\x00d\x001\x005\x00-\x00e\x00e\x009\x002\x00-\x004\x006\x00b\x003\x00-\x008\x00c\x006\x00a\x00-\x000\x003\x00d\x00e\x005\x008\x009\x00a\x00b\x007\x002\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14407 WEB-ACTIVEX RegVmsCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.RegVmsCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.RegVmsCtl\x22|\x27Vmappsdk\.RegVmsCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.RegVmsCtl\x22|\x27Vmappsdk\.RegVmsCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14408 WEB-ACTIVEX RegVmsCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|R|00|e|00|g|00|V|00|m|00|s|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00g\x00V\x00m\x00s\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00R\x00e\x00g\x00V\x00m\x00s\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14409 WEB-ACTIVEX RegVmsCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"733a5dfa-084e-4ecf-af13-95b852358dd3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*733a5dfa-084e-4ecf-af13-95b852358dd3\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14410 WEB-ACTIVEX VmdbEnumTags Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|3|00|3|00|a|00|5|00|d|00|f|00|a|00|-|00|0|00|8|00|4|00|e|00|-|00|4|00|e|00|c|00|f|00|-|00|a|00|f|00|1|00|3|00|-|00|9|00|5|00|b|00|8|00|5|00|2|00|3|00|5|00|8|00|d|00|d|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x003\x003\x00a\x005\x00d\x00f\x00a\x00-\x000\x008\x004\x00e\x00-\x004\x00e\x00c\x00f\x00-\x00a\x00f\x001\x003\x00-\x009\x005\x00b\x008\x005\x002\x003\x005\x008\x00d\x00d\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14411 WEB-ACTIVEX VmdbEnumTags Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbEnumTags"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbEnumTags\x22|\x27vmdbCOM\.VmdbEnumTags\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbEnumTags\x22|\x27vmdbCOM\.VmdbEnumTags\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14412 WEB-ACTIVEX VmdbEnumTags Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|E|00|n|00|u|00|m|00|T|00|a|00|g|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00n\x00u\x00m\x00T\x00a\x00g\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00E\x00n\x00u\x00m\x00T\x00a\x00g\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14413 WEB-ACTIVEX VmdbEnumTags Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"75869575-07ba-4c7e-8f8f-980dfbc12abd"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*75869575-07ba-4c7e-8f8f-980dfbc12abd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14414 WEB-ACTIVEX VMWare unspecified 7 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|5|00|8|00|6|00|9|00|5|00|7|00|5|00|-|00|0|00|7|00|b|00|a|00|-|00|4|00|c|00|7|00|e|00|-|00|8|00|f|00|8|00|f|00|-|00|9|00|8|00|0|00|d|00|f|00|b|00|c|00|1|00|2|00|a|00|b|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x005\x008\x006\x009\x005\x007\x005\x00-\x000\x007\x00b\x00a\x00-\x004\x00c\x007\x00e\x00-\x008\x00f\x008\x00f\x00-\x009\x008\x000\x00d\x00f\x00b\x00c\x001\x002\x00a\x00b\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14415 WEB-ACTIVEX VMWare unspecified 7 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7B9C5422-39AA-4c21-BEEF-645E42EB4529"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4c21-BEEF-645E42EB4529\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14416 WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|B|00|9|00|C|00|5|00|4|00|2|00|2|00|-|00|3|00|9|00|A|00|A|00|-|00|4|00|c|00|2|00|1|00|-|00|B|00|E|00|E|00|F|00|-|00|6|00|4|00|5|00|E|00|4|00|2|00|E|00|B|00|4|00|5|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00B\x009\x00C\x005\x004\x002\x002\x00-\x003\x009\x00A\x00A\x00-\x004\x00c\x002\x001\x00-\x00B\x00E\x00E\x00F\x00-\x006\x004\x005\x00E\x004\x002\x00E\x00B\x004\x005\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14417 WEB-ACTIVEX VieLib2.Vie2Process ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VieLib2.Vie2Process"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14418 WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14419 WEB-ACTIVEX VieLib2.Vie2Process ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7edd4fce-e178-47f2-ae05-c5936c843795"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7edd4fce-e178-47f2-ae05-c5936c843795\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14420 WEB-ACTIVEX VmdbDatabase Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|e|00|d|00|d|00|4|00|f|00|c|00|e|00|-|00|e|00|1|00|7|00|8|00|-|00|4|00|7|00|f|00|2|00|-|00|a|00|e|00|0|00|5|00|-|00|c|00|5|00|9|00|3|00|6|00|c|00|8|00|4|00|3|00|7|00|9|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00e\x00d\x00d\x004\x00f\x00c\x00e\x00-\x00e\x001\x007\x008\x00-\x004\x007\x00f\x002\x00-\x00a\x00e\x000\x005\x00-\x00c\x005\x009\x003\x006\x00c\x008\x004\x003\x007\x009\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14421 WEB-ACTIVEX VmdbDatabase Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbDatabase"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbDatabase\x22|\x27vmdbCOM\.VmdbDatabase\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbDatabase\x22|\x27vmdbCOM\.VmdbDatabase\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14422 WEB-ACTIVEX VmdbDatabase Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|D|00|a|00|t|00|a|00|b|00|a|00|s|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00D\x00a\x00t\x00a\x00b\x00a\x00s\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00D\x00a\x00t\x00a\x00b\x00a\x00s\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14423 WEB-ACTIVEX VmdbDatabase Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"85691355-a4fa-4e2b-b461-8145f90aa8dc"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*85691355-a4fa-4e2b-b461-8145f90aa8dc\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14424 WEB-ACTIVEX VMAppSdkUtil Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|5|00|6|00|9|00|1|00|3|00|5|00|5|00|-|00|a|00|4|00|f|00|a|00|-|00|4|00|e|00|2|00|b|00|-|00|b|00|4|00|6|00|1|00|-|00|8|00|1|00|4|00|5|00|f|00|9|00|0|00|a|00|a|00|8|00|d|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x005\x006\x009\x001\x003\x005\x005\x00-\x00a\x004\x00f\x00a\x00-\x004\x00e\x002\x00b\x00-\x00b\x004\x006\x001\x00-\x008\x001\x004\x005\x00f\x009\x000\x00a\x00a\x008\x00d\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14425 WEB-ACTIVEX VMAppSdkUtil Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VMAppSdkUtil"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VMAppSdkUtil\x22|\x27Vmappsdk\.VMAppSdkUtil\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMAppSdkUtil\x22|\x27Vmappsdk\.VMAppSdkUtil\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14426 WEB-ACTIVEX VMAppSdkUtil Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|A|00|p|00|p|00|S|00|d|00|k|00|U|00|t|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00A\x00p\x00p\x00S\x00d\x00k\x00U\x00t\x00i\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00A\x00p\x00p\x00S\x00d\x00k\x00U\x00t\x00i\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14427 WEB-ACTIVEX VMAppSdkUtil Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8f2f3b54-43cc-4912-9b48-bd500a023d40"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8f2f3b54-43cc-4912-9b48-bd500a023d40\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14428 WEB-ACTIVEX VMWare unspecified 8 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|f|00|2|00|f|00|3|00|b|00|5|00|4|00|-|00|4|00|3|00|c|00|c|00|-|00|4|00|9|00|1|00|2|00|-|00|9|00|b|00|4|00|8|00|-|00|b|00|d|00|5|00|0|00|0|00|a|00|0|00|2|00|3|00|d|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00f\x002\x00f\x003\x00b\x005\x004\x00-\x004\x003\x00c\x00c\x00-\x004\x009\x001\x002\x00-\x009\x00b\x004\x008\x00-\x00b\x00d\x005\x000\x000\x00a\x000\x002\x003\x00d\x004\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14429 WEB-ACTIVEX VMWare unspecified 8 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"92d37a66-dc23-4244-8add-2e8bdcafa9b2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*92d37a66-dc23-4244-8add-2e8bdcafa9b2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14430 WEB-ACTIVEX VMEnumStrings Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|2|00|d|00|3|00|7|00|a|00|6|00|6|00|-|00|d|00|c|00|2|00|3|00|-|00|4|00|2|00|4|00|4|00|-|00|8|00|a|00|d|00|d|00|-|00|2|00|e|00|8|00|b|00|d|00|c|00|a|00|f|00|a|00|9|00|b|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x00d\x003\x007\x00a\x006\x006\x00-\x00d\x00c\x002\x003\x00-\x004\x002\x004\x004\x00-\x008\x00a\x00d\x00d\x00-\x002\x00e\x008\x00b\x00d\x00c\x00a\x00f\x00a\x009\x00b\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14431 WEB-ACTIVEX VMEnumStrings Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.VMEnumStrings"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.VMEnumStrings\x22|\x27vmappsdk\.VMEnumStrings\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.VMEnumStrings\x22|\x27vmappsdk\.VMEnumStrings\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14432 WEB-ACTIVEX VMEnumStrings Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|E|00|n|00|u|00|m|00|S|00|t|00|r|00|i|00|n|00|g|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00E\x00n\x00u\x00m\x00S\x00t\x00r\x00i\x00n\x00g\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00E\x00n\x00u\x00m\x00S\x00t\x00r\x00i\x00n\x00g\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14433 WEB-ACTIVEX VMEnumStrings Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"93beec8b-783e-4f87-a1d7-61936f3805cf"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*93beec8b-783e-4f87-a1d7-61936f3805cf\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14434 WEB-ACTIVEX VMWare unspecified 9 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|3|00|b|00|e|00|e|00|c|00|8|00|b|00|-|00|7|00|8|00|3|00|e|00|-|00|4|00|f|00|8|00|7|00|-|00|a|00|1|00|d|00|7|00|-|00|6|00|1|00|9|00|3|00|6|00|f|00|3|00|8|00|0|00|5|00|c|00|f|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x003\x00b\x00e\x00e\x00c\x008\x00b\x00-\x007\x008\x003\x00e\x00-\x004\x00f\x008\x007\x00-\x00a\x001\x00d\x007\x00-\x006\x001\x009\x003\x006\x00f\x003\x008\x000\x005\x00c\x00f\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14435 WEB-ACTIVEX VMWare unspecified 9 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9663f7c7-44fb-4075-bc83-829b47db7936"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9663f7c7-44fb-4075-bc83-829b47db7936\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14436 WEB-ACTIVEX VMClientHost Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|6|00|6|00|3|00|f|00|7|00|c|00|7|00|-|00|4|00|4|00|f|00|b|00|-|00|4|00|0|00|7|00|5|00|-|00|b|00|c|00|8|00|3|00|-|00|8|00|2|00|9|00|b|00|4|00|7|00|d|00|b|00|7|00|9|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x006\x006\x003\x00f\x007\x00c\x007\x00-\x004\x004\x00f\x00b\x00-\x004\x000\x007\x005\x00-\x00b\x00c\x008\x003\x00-\x008\x002\x009\x00b\x004\x007\x00d\x00b\x007\x009\x003\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14437 WEB-ACTIVEX VMClientHost Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VMClientHost"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VMClientHost\x22|\x27vmdbCOM\.VMClientHost\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientHost\x22|\x27vmdbCOM\.VMClientHost\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14438 WEB-ACTIVEX VMClientHost Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|H|00|o|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00H\x00o\x00s\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14439 WEB-ACTIVEX VMClientHost Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"96a05576-987f-4f6d-9102-8799e3ded07b"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*96a05576-987f-4f6d-9102-8799e3ded07b\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14440 WEB-ACTIVEX VMWare unspecified 10 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|6|00|a|00|0|00|5|00|5|00|7|00|6|00|-|00|9|00|8|00|7|00|f|00|-|00|4|00|f|00|6|00|d|00|-|00|9|00|1|00|0|00|2|00|-|00|8|00|7|00|9|00|9|00|e|00|3|00|d|00|e|00|d|00|0|00|7|00|b|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x006\x00a\x000\x005\x005\x007\x006\x00-\x009\x008\x007\x00f\x00-\x004\x00f\x006\x00d\x00-\x009\x001\x000\x002\x00-\x008\x007\x009\x009\x00e\x003\x00d\x00e\x00d\x000\x007\x00b\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14441 WEB-ACTIVEX VMWare unspecified 10 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"99a1b3a3-0c4c-4e08-a1b1-84a6e6ff414d"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*99a1b3a3-0c4c-4e08-a1b1-84a6e6ff414d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14442 WEB-ACTIVEX VMWare unspecified 11 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|9|00|a|00|1|00|b|00|3|00|a|00|3|00|-|00|0|00|c|00|4|00|c|00|-|00|4|00|e|00|0|00|8|00|-|00|a|00|1|00|b|00|1|00|-|00|8|00|4|00|a|00|6|00|e|00|6|00|f|00|f|00|4|00|1|00|4|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x009\x00a\x001\x00b\x003\x00a\x003\x00-\x000\x00c\x004\x00c\x00-\x004\x00e\x000\x008\x00-\x00a\x001\x00b\x001\x00-\x008\x004\x00a\x006\x00e\x006\x00f\x00f\x004\x001\x004\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14443 WEB-ACTIVEX VMWare unspecified 11 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9d253f85-f9b1-446e-9122-7ef3e260c3e4"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9d253f85-f9b1-446e-9122-7ef3e260c3e4\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14444 WEB-ACTIVEX VMWare unspecified 12 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|d|00|2|00|5|00|3|00|f|00|8|00|5|00|-|00|f|00|9|00|b|00|1|00|-|00|4|00|4|00|6|00|e|00|-|00|9|00|1|00|2|00|2|00|-|00|7|00|e|00|f|00|3|00|e|00|2|00|6|00|0|00|c|00|3|00|e|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00d\x002\x005\x003\x00f\x008\x005\x00-\x00f\x009\x00b\x001\x00-\x004\x004\x006\x00e\x00-\x009\x001\x002\x002\x00-\x007\x00e\x00f\x003\x00e\x002\x006\x000\x00c\x003\x00e\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14445 WEB-ACTIVEX VMWare unspecified 12 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9ea0c310-9140-4735-90db-5babc57583f0"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9ea0c310-9140-4735-90db-5babc57583f0\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14446 WEB-ACTIVEX VMWare unspecified 13 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|e|00|a|00|0|00|c|00|3|00|1|00|0|00|-|00|9|00|1|00|4|00|0|00|-|00|4|00|7|00|3|00|5|00|-|00|9|00|0|00|d|00|b|00|-|00|5|00|b|00|a|00|b|00|c|00|5|00|7|00|5|00|8|00|3|00|f|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00e\x00a\x000\x00c\x003\x001\x000\x00-\x009\x001\x004\x000\x00-\x004\x007\x003\x005\x00-\x009\x000\x00d\x00b\x00-\x005\x00b\x00a\x00b\x00c\x005\x007\x005\x008\x003\x00f\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14447 WEB-ACTIVEX VMWare unspecified 13 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9ED5A5B3-C8D4-4597-B082-487008D75E3F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9ED5A5B3-C8D4-4597-B082-487008D75E3F\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14448 WEB-ACTIVEX reconfig.SystemReconfigur ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|E|00|D|00|5|00|A|00|5|00|B|00|3|00|-|00|C|00|8|00|D|00|4|00|-|00|4|00|5|00|9|00|7|00|-|00|B|00|0|00|8|00|2|00|-|00|4|00|8|00|7|00|0|00|0|00|8|00|D|00|7|00|5|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00E\x00D\x005\x00A\x005\x00B\x003\x00-\x00C\x008\x00D\x004\x00-\x004\x005\x009\x007\x00-\x00B\x000\x008\x002\x00-\x004\x008\x007\x000\x000\x008\x00D\x007\x005\x00E\x003\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14449 WEB-ACTIVEX reconfig.SystemReconfigur ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"reconfig.SystemReconfigur"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22reconfig\.SystemReconfigur\x22|\x27reconfig\.SystemReconfigur\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.SystemReconfigur\x22|\x27reconfig\.SystemReconfigur\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14450 WEB-ACTIVEX reconfig.SystemReconfigur ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|S|00|y|00|s|00|t|00|e|00|m|00|R|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00S\x00y\x00s\x00t\x00e\x00m\x00R\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00u\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14451 WEB-ACTIVEX reconfig.SystemReconfigur ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9F625D90-A74B-4dd8-9847-9CFD6F928FEF"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9F625D90-A74B-4dd8-9847-9CFD6F928FEF\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14452 WEB-ACTIVEX vmhwcfg.NwzCompleted ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|F|00|6|00|2|00|5|00|D|00|9|00|0|00|-|00|A|00|7|00|4|00|B|00|-|00|4|00|d|00|d|00|8|00|-|00|9|00|8|00|4|00|7|00|-|00|9|00|C|00|F|00|D|00|6|00|F|00|9|00|2|00|8|00|F|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00F\x006\x002\x005\x00D\x009\x000\x00-\x00A\x007\x004\x00B\x00-\x004\x00d\x00d\x008\x00-\x009\x008\x004\x007\x00-\x009\x00C\x00F\x00D\x006\x00F\x009\x002\x008\x00F\x00E\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14453 WEB-ACTIVEX vmhwcfg.NwzCompleted ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmhwcfg.NwzCompleted"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmhwcfg\.NwzCompleted\x22|\x27vmhwcfg\.NwzCompleted\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmhwcfg\.NwzCompleted\x22|\x27vmhwcfg\.NwzCompleted\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14454 WEB-ACTIVEX vmhwcfg.NwzCompleted ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|h|00|w|00|c|00|f|00|g|00|.|00|N|00|w|00|z|00|C|00|o|00|m|00|p|00|l|00|e|00|t|00|e|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00C\x00o\x00m\x00p\x00l\x00e\x00t\x00e\x00d\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00C\x00o\x00m\x00p\x00l\x00e\x00t\x00e\x00d\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14455 WEB-ACTIVEX vmhwcfg.NwzCompleted ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"a170cd00-5ce4-46d0-b013-e804ffd1d929"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*a170cd00-5ce4-46d0-b013-e804ffd1d929\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14456 WEB-ACTIVEX MksCompatCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"a|00|1|00|7|00|0|00|c|00|d|00|0|00|0|00|-|00|5|00|c|00|e|00|4|00|-|00|4|00|6|00|d|00|0|00|-|00|b|00|0|00|1|00|3|00|-|00|e|00|8|00|0|00|4|00|f|00|f|00|d|00|1|00|d|00|9|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*a\x001\x007\x000\x00c\x00d\x000\x000\x00-\x005\x00c\x00e\x004\x00-\x004\x006\x00d\x000\x00-\x00b\x000\x001\x003\x00-\x00e\x008\x000\x004\x00f\x00f\x00d\x001\x00d\x009\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14457 WEB-ACTIVEX MksCompatCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.MksCompatCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.MksCompatCtl\x22|\x27vmappsdk\.MksCompatCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.MksCompatCtl\x22|\x27vmappsdk\.MksCompatCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14458 WEB-ACTIVEX MksCompatCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|M|00|k|00|s|00|C|00|o|00|m|00|p|00|a|00|t|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00o\x00m\x00p\x00a\x00t\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00o\x00m\x00p\x00a\x00t\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14459 WEB-ACTIVEX MksCompatCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"aeab0a1a-4bcd-4fc2-9c70-0e0ae3b40350"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*aeab0a1a-4bcd-4fc2-9c70-0e0ae3b40350\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14460 WEB-ACTIVEX VMWare unspecified 14 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"a|00|e|00|a|00|b|00|0|00|a|00|1|00|a|00|-|00|4|00|b|00|c|00|d|00|-|00|4|00|f|00|c|00|2|00|-|00|9|00|c|00|7|00|0|00|-|00|0|00|e|00|0|00|a|00|e|00|3|00|b|00|4|00|0|00|3|00|5|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*a\x00e\x00a\x00b\x000\x00a\x001\x00a\x00-\x004\x00b\x00c\x00d\x00-\x004\x00f\x00c\x002\x00-\x009\x00c\x007\x000\x00-\x000\x00e\x000\x00a\x00e\x003\x00b\x004\x000\x003\x005\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14461 WEB-ACTIVEX VMWare unspecified 14 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AF13B07E-28A1-4CAC-9C9A-EC582E354A24"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14462 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|1|00|3|00|B|00|0|00|7|00|E|00|-|00|2|00|8|00|A|00|1|00|-|00|4|00|C|00|A|00|C|00|-|00|9|00|C|00|9|00|A|00|-|00|E|00|C|00|5|00|8|00|2|00|E|00|3|00|5|00|4|00|A|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00F\x001\x003\x00B\x000\x007\x00E\x00-\x002\x008\x00A\x001\x00-\x004\x00C\x00A\x00C\x00-\x009\x00C\x009\x00A\x00-\x00E\x00C\x005\x008\x002\x00E\x003\x005\x004\x00A\x002\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14463 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IntraProcessLogging.Logger"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IntraProcessLogging\.Logger\x22|\x27IntraProcessLogging\.Logger\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14464 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|n|00|t|00|r|00|a|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|L|00|o|00|g|00|g|00|i|00|n|00|g|00|.|00|L|00|o|00|g|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)I\x00n\x00t\x00r\x00a\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00L\x00o\x00g\x00g\x00i\x00n\x00g\x00.\x00L\x00o\x00g\x00g\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14465 WEB-ACTIVEX IntraProcessLogging.Logger ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"b39924ac-b164-4f0a-b2d8-f07295df710d"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*b39924ac-b164-4f0a-b2d8-f07295df710d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14466 WEB-ACTIVEX VMWare unspecified 15 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"b|00|3|00|9|00|9|00|2|00|4|00|a|00|c|00|-|00|b|00|1|00|6|00|4|00|-|00|4|00|f|00|0|00|a|00|-|00|b|00|2|00|d|00|8|00|-|00|f|00|0|00|7|00|2|00|9|00|5|00|d|00|f|00|7|00|1|00|0|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x003\x009\x009\x002\x004\x00a\x00c\x00-\x00b\x001\x006\x004\x00-\x004\x00f\x000\x00a\x00-\x00b\x002\x00d\x008\x00-\x00f\x000\x007\x002\x009\x005\x00d\x00f\x007\x001\x000\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14467 WEB-ACTIVEX VMWare unspecified 15 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BC1F4B6F-13AB-4239-8C79-D6DCADC52BAA\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14468 WEB-ACTIVEX Elevated.HostDeviceInfos ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|C|00|1|00|F|00|4|00|B|00|6|00|F|00|-|00|1|00|3|00|A|00|B|00|-|00|4|00|2|00|3|00|9|00|-|00|8|00|C|00|7|00|9|00|-|00|D|00|6|00|D|00|C|00|A|00|D|00|C|00|5|00|2|00|B|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00C\x001\x00F\x004\x00B\x006\x00F\x00-\x001\x003\x00A\x00B\x00-\x004\x002\x003\x009\x00-\x008\x00C\x007\x009\x00-\x00D\x006\x00D\x00C\x00A\x00D\x00C\x005\x002\x00B\x00A\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14469 WEB-ACTIVEX Elevated.HostDeviceInfos ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Elevated.HostDeviceInfos"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Elevated\.HostDeviceInfos\x22|\x27Elevated\.HostDeviceInfos\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Elevated\.HostDeviceInfos\x22|\x27Elevated\.HostDeviceInfos\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14470 WEB-ACTIVEX Elevated.HostDeviceInfos ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|l|00|e|00|v|00|a|00|t|00|e|00|d|00|.|00|H|00|o|00|s|00|t|00|D|00|e|00|v|00|i|00|c|00|e|00|I|00|n|00|f|00|o|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00H\x00o\x00s\x00t\x00D\x00e\x00v\x00i\x00c\x00e\x00I\x00n\x00f\x00o\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00H\x00o\x00s\x00t\x00D\x00e\x00v\x00i\x00c\x00e\x00I\x00n\x00f\x00o\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14471 WEB-ACTIVEX Elevated.HostDeviceInfos ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"bea48e3e-5990-4f52-ad0c-4fee8b00b3dd"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bea48e3e-5990-4f52-ad0c-4fee8b00b3dd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14472 WEB-ACTIVEX VMWare unspecified 16 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"b|00|e|00|a|00|4|00|8|00|e|00|3|00|e|00|-|00|5|00|9|00|9|00|0|00|-|00|4|00|f|00|5|00|2|00|-|00|a|00|d|00|0|00|c|00|-|00|4|00|f|00|e|00|e|00|8|00|b|00|0|00|0|00|b|00|3|00|d|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00e\x00a\x004\x008\x00e\x003\x00e\x00-\x005\x009\x009\x000\x00-\x004\x00f\x005\x002\x00-\x00a\x00d\x000\x00c\x00-\x004\x00f\x00e\x00e\x008\x00b\x000\x000\x00b\x003\x00d\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14473 WEB-ACTIVEX VMWare unspecified 16 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"bf337b95-a08a-43ba-b395-001bb11e51cd"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bf337b95-a08a-43ba-b395-001bb11e51cd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14474 WEB-ACTIVEX VMWare unspecified 17 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"b|00|f|00|3|00|3|00|7|00|b|00|9|00|5|00|-|00|a|00|0|00|8|00|a|00|-|00|4|00|3|00|b|00|a|00|-|00|b|00|3|00|9|00|5|00|-|00|0|00|0|00|1|00|b|00|b|00|1|00|1|00|e|00|5|00|1|00|c|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00f\x003\x003\x007\x00b\x009\x005\x00-\x00a\x000\x008\x00a\x00-\x004\x003\x00b\x00a\x00-\x00b\x003\x009\x005\x00-\x000\x000\x001\x00b\x00b\x001\x001\x00e\x005\x001\x00c\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14475 WEB-ACTIVEX VMWare unspecified 17 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C0A9F3A2-C933-42E5-8ED4-FC7E9A55686F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C0A9F3A2-C933-42E5-8ED4-FC7E9A55686F\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14476 WEB-ACTIVEX reconfig.GuestInfo ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|0|00|A|00|9|00|F|00|3|00|A|00|2|00|-|00|C|00|9|00|3|00|3|00|-|00|4|00|2|00|E|00|5|00|-|00|8|00|E|00|D|00|4|00|-|00|F|00|C|00|7|00|E|00|9|00|A|00|5|00|5|00|6|00|8|00|6|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x000\x00A\x009\x00F\x003\x00A\x002\x00-\x00C\x009\x003\x003\x00-\x004\x002\x00E\x005\x00-\x008\x00E\x00D\x004\x00-\x00F\x00C\x007\x00E\x009\x00A\x005\x005\x006\x008\x006\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14477 WEB-ACTIVEX reconfig.GuestInfo ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"reconfig.GuestInfo"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22reconfig\.GuestInfo\x22|\x27reconfig\.GuestInfo\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22reconfig\.GuestInfo\x22|\x27reconfig\.GuestInfo\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14478 WEB-ACTIVEX reconfig.GuestInfo ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|e|00|c|00|o|00|n|00|f|00|i|00|g|00|.|00|G|00|u|00|e|00|s|00|t|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00G\x00u\x00e\x00s\x00t\x00I\x00n\x00f\x00o\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)r\x00e\x00c\x00o\x00n\x00f\x00i\x00g\x00.\x00G\x00u\x00e\x00s\x00t\x00I\x00n\x00f\x00o\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14479 WEB-ACTIVEX reconfig.GuestInfo ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c0f98577-fc80-4d0a-86b2-6d4e045edf8e"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*c0f98577-fc80-4d0a-86b2-6d4e045edf8e\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14480 WEB-ACTIVEX VmappPropFrame Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c|00|0|00|f|00|9|00|8|00|5|00|7|00|7|00|-|00|f|00|c|00|8|00|0|00|-|00|4|00|d|00|0|00|a|00|-|00|8|00|6|00|b|00|2|00|-|00|6|00|d|00|4|00|e|00|0|00|4|00|5|00|e|00|d|00|f|00|8|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*c\x000\x00f\x009\x008\x005\x007\x007\x00-\x00f\x00c\x008\x000\x00-\x004\x00d\x000\x00a\x00-\x008\x006\x00b\x002\x00-\x006\x00d\x004\x00e\x000\x004\x005\x00e\x00d\x00f\x008\x00e\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14481 WEB-ACTIVEX VmappPropFrame Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VmappPropFrame"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VmappPropFrame\x22|\x27Vmappsdk\.VmappPropFrame\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VmappPropFrame\x22|\x27Vmappsdk\.VmappPropFrame\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14482 WEB-ACTIVEX VmappPropFrame Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|F|00|r|00|a|00|m|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00F\x00r\x00a\x00m\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00F\x00r\x00a\x00m\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14483 WEB-ACTIVEX VmappPropFrame Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C2FBF309-56F6-409E-B9D7-DBBC190AD51A"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C2FBF309-56F6-409E-B9D7-DBBC190AD51A\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14484 WEB-ACTIVEX VhdCvtCom.VhdConverter ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|2|00|F|00|B|00|F|00|3|00|0|00|9|00|-|00|5|00|6|00|F|00|6|00|-|00|4|00|0|00|9|00|E|00|-|00|B|00|9|00|D|00|7|00|-|00|D|00|B|00|B|00|C|00|1|00|9|00|0|00|A|00|D|00|5|00|1|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x002\x00F\x00B\x00F\x003\x000\x009\x00-\x005\x006\x00F\x006\x00-\x004\x000\x009\x00E\x00-\x00B\x009\x00D\x007\x00-\x00D\x00B\x00B\x00C\x001\x009\x000\x00A\x00D\x005\x001\x00A\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14485 WEB-ACTIVEX VhdCvtCom.VhdConverter ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VhdCvtCom.VhdConverter"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VhdCvtCom\.VhdConverter\x22|\x27VhdCvtCom\.VhdConverter\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VhdCvtCom\.VhdConverter\x22|\x27VhdCvtCom\.VhdConverter\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14486 WEB-ACTIVEX VhdCvtCom.VhdConverter ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|h|00|d|00|C|00|v|00|t|00|C|00|o|00|m|00|.|00|V|00|h|00|d|00|C|00|o|00|n|00|v|00|e|00|r|00|t|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00V\x00h\x00d\x00C\x00o\x00n\x00v\x00e\x00r\x00t\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00V\x00h\x00d\x00C\x00o\x00n\x00v\x00e\x00r\x00t\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14487 WEB-ACTIVEX VhdCvtCom.VhdConverter ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ce55ac6b-d0fa-4be6-bc90-c318e7383cdd"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ce55ac6b-d0fa-4be6-bc90-c318e7383cdd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14488 WEB-ACTIVEX VMSwitchCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c|00|e|00|5|00|5|00|a|00|c|00|6|00|b|00|-|00|d|00|0|00|f|00|a|00|-|00|4|00|b|00|e|00|6|00|-|00|b|00|c|00|9|00|0|00|-|00|c|00|3|00|1|00|8|00|e|00|7|00|3|00|8|00|3|00|c|00|d|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*c\x00e\x005\x005\x00a\x00c\x006\x00b\x00-\x00d\x000\x00f\x00a\x00-\x004\x00b\x00e\x006\x00-\x00b\x00c\x009\x000\x00-\x00c\x003\x001\x008\x00e\x007\x003\x008\x003\x00c\x00d\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14489 WEB-ACTIVEX VMSwitchCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VMSwitchCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VMSwitchCtl\x22|\x27Vmappsdk\.VMSwitchCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMSwitchCtl\x22|\x27Vmappsdk\.VMSwitchCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14490 WEB-ACTIVEX VMSwitchCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|S|00|w|00|i|00|t|00|c|00|h|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00w\x00i\x00t\x00c\x00h\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00S\x00w\x00i\x00t\x00c\x00h\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14491 WEB-ACTIVEX VMSwitchCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d1084c98-79f2-461d-81b8-7888228e77cc"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d1084c98-79f2-461d-81b8-7888228e77cc\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14492 WEB-ACTIVEX VMWare unspecified 18 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|1|00|0|00|8|00|4|00|c|00|9|00|8|00|-|00|7|00|9|00|f|00|2|00|-|00|4|00|6|00|1|00|d|00|-|00|8|00|1|00|b|00|8|00|-|00|7|00|8|00|8|00|8|00|2|00|2|00|8|00|e|00|7|00|7|00|c|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x001\x000\x008\x004\x00c\x009\x008\x00-\x007\x009\x00f\x002\x00-\x004\x006\x001\x00d\x00-\x008\x001\x00b\x008\x00-\x007\x008\x008\x008\x002\x002\x008\x00e\x007\x007\x00c\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14493 WEB-ACTIVEX VMWare unspecified 18 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d1d1d84a-318e-4bce-9d4b-9d6664c99bd0"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d1d1d84a-318e-4bce-9d4b-9d6664c99bd0\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14494 WEB-ACTIVEX VmdbUtil Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|1|00|d|00|1|00|d|00|8|00|4|00|a|00|-|00|3|00|1|00|8|00|e|00|-|00|4|00|b|00|c|00|e|00|-|00|9|00|d|00|4|00|b|00|-|00|9|00|d|00|6|00|6|00|6|00|4|00|c|00|9|00|9|00|b|00|d|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x001\x00d\x001\x00d\x008\x004\x00a\x00-\x003\x001\x008\x00e\x00-\x004\x00b\x00c\x00e\x00-\x009\x00d\x004\x00b\x00-\x009\x00d\x006\x006\x006\x004\x00c\x009\x009\x00b\x00d\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14495 WEB-ACTIVEX VmdbUtil Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbUtil"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbUtil\x22|\x27vmdbCOM\.VmdbUtil\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbUtil\x22|\x27vmdbCOM\.VmdbUtil\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14496 WEB-ACTIVEX VmdbUtil Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|U|00|t|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00t\x00i\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00t\x00i\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14497 WEB-ACTIVEX VmdbUtil Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d344ef7e-e559-48b4-8b16-07950bf1f191"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d344ef7e-e559-48b4-8b16-07950bf1f191\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14498 WEB-ACTIVEX VMWare unspecified 19 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|3|00|4|00|4|00|e|00|f|00|7|00|e|00|-|00|e|00|5|00|5|00|9|00|-|00|4|00|8|00|b|00|4|00|-|00|8|00|b|00|1|00|6|00|-|00|0|00|7|00|9|00|5|00|0|00|b|00|f|00|1|00|f|00|1|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x003\x004\x004\x00e\x00f\x007\x00e\x00-\x00e\x005\x005\x009\x00-\x004\x008\x00b\x004\x00-\x008\x00b\x001\x006\x00-\x000\x007\x009\x005\x000\x00b\x00f\x001\x00f\x001\x009\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14499 WEB-ACTIVEX VMWare unspecified 19 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D428A135-8494-41DE-A4B5-8BB1B632E8DC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D428A135-8494-41DE-A4B5-8BB1B632E8DC\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14500 WEB-ACTIVEX VMwareVpcCvt.VpcC ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|2|00|8|00|A|00|1|00|3|00|5|00|-|00|8|00|4|00|9|00|4|00|-|00|4|00|1|00|D|00|E|00|-|00|A|00|4|00|B|00|5|00|-|00|8|00|B|00|B|00|1|00|B|00|6|00|3|00|2|00|E|00|8|00|D|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x004\x002\x008\x00A\x001\x003\x005\x00-\x008\x004\x009\x004\x00-\x004\x001\x00D\x00E\x00-\x00A\x004\x00B\x005\x00-\x008\x00B\x00B\x001\x00B\x006\x003\x002\x00E\x008\x00D\x00C\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14501 WEB-ACTIVEX VMwareVpcCvt.VpcC ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VMwareVpcCvt.VpcC"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VMwareVpcCvt\.VpcC\x22|\x27VMwareVpcCvt\.VpcC\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VMwareVpcCvt\.VpcC\x22|\x27VMwareVpcCvt\.VpcC\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14502 WEB-ACTIVEX VMwareVpcCvt.VpcC ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|M|00|w|00|a|00|r|00|e|00|V|00|p|00|c|00|C|00|v|00|t|00|.|00|V|00|p|00|c|00|C|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00M\x00w\x00a\x00r\x00e\x00V\x00p\x00c\x00C\x00v\x00t\x00.\x00V\x00p\x00c\x00C\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00M\x00w\x00a\x00r\x00e\x00V\x00p\x00c\x00C\x00v\x00t\x00.\x00V\x00p\x00c\x00C\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14503 WEB-ACTIVEX VMwareVpcCvt.VpcC ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d6e9ab14-5437-4507-8f53-60ded2db142c"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*d6e9ab14-5437-4507-8f53-60ded2db142c\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14504 WEB-ACTIVEX VmdbCnxUtil Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|6|00|e|00|9|00|a|00|b|00|1|00|4|00|-|00|5|00|4|00|3|00|7|00|-|00|4|00|5|00|0|00|7|00|-|00|8|00|f|00|5|00|3|00|-|00|6|00|0|00|d|00|e|00|d|00|2|00|d|00|b|00|1|00|4|00|2|00|c|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x006\x00e\x009\x00a\x00b\x001\x004\x00-\x005\x004\x003\x007\x00-\x004\x005\x000\x007\x00-\x008\x00f\x005\x003\x00-\x006\x000\x00d\x00e\x00d\x002\x00d\x00b\x001\x004\x002\x00c\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14505 WEB-ACTIVEX VmdbCnxUtil Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbCnxUtil"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbCnxUtil\x22|\x27vmdbCOM\.VmdbCnxUtil\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbCnxUtil\x22|\x27vmdbCOM\.VmdbCnxUtil\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14506 WEB-ACTIVEX VmdbCnxUtil Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|C|00|n|00|x|00|U|00|t|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00n\x00x\x00U\x00t\x00i\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00C\x00n\x00x\x00U\x00t\x00i\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14507 WEB-ACTIVEX VmdbCnxUtil Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D9902D56-1F2A-47D6-89AA-08F49A40AE8C"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9902D56-1F2A-47D6-89AA-08F49A40AE8C\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14508 WEB-ACTIVEX Vmc2vmx.CoVPCDrive ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|9|00|0|00|2|00|D|00|5|00|6|00|-|00|1|00|F|00|2|00|A|00|-|00|4|00|7|00|D|00|6|00|-|00|8|00|9|00|A|00|A|00|-|00|0|00|8|00|F|00|4|00|9|00|A|00|4|00|0|00|A|00|E|00|8|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x009\x009\x000\x002\x00D\x005\x006\x00-\x001\x00F\x002\x00A\x00-\x004\x007\x00D\x006\x00-\x008\x009\x00A\x00A\x00-\x000\x008\x00F\x004\x009\x00A\x004\x000\x00A\x00E\x008\x00C\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14509 WEB-ACTIVEX Vmc2vmx.CoVPCDrive ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmc2vmx.CoVPCDrive"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmc2vmx\.CoVPCDrive\x22|\x27Vmc2vmx\.CoVPCDrive\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmc2vmx\.CoVPCDrive\x22|\x27Vmc2vmx\.CoVPCDrive\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14510 WEB-ACTIVEX Vmc2vmx.CoVPCDrive ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|c|00|2|00|v|00|m|00|x|00|.|00|C|00|o|00|V|00|P|00|C|00|D|00|r|00|i|00|v|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14511 WEB-ACTIVEX Vmc2vmx.CoVPCDrive ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"da52e304-436f-420e-8cf4-9f785c2e5dc7"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*da52e304-436f-420e-8cf4-9f785c2e5dc7\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14512 WEB-ACTIVEX VMWare unspecified 20 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|a|00|5|00|2|00|e|00|3|00|0|00|4|00|-|00|4|00|3|00|6|00|f|00|-|00|4|00|2|00|0|00|e|00|-|00|8|00|c|00|f|00|4|00|-|00|9|00|f|00|7|00|8|00|5|00|c|00|2|00|e|00|5|00|d|00|c|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00a\x005\x002\x00e\x003\x000\x004\x00-\x004\x003\x006\x00f\x00-\x004\x002\x000\x00e\x00-\x008\x00c\x00f\x004\x00-\x009\x00f\x007\x008\x005\x00c\x002\x00e\x005\x00d\x00c\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14513 WEB-ACTIVEX VMWare unspecified 20 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"dd3705d3-53b0-4d2d-961e-64fc7495b8cd"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dd3705d3-53b0-4d2d-961e-64fc7495b8cd\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14514 WEB-ACTIVEX VMClientVM Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|d|00|3|00|7|00|0|00|5|00|d|00|3|00|-|00|5|00|3|00|b|00|0|00|-|00|4|00|d|00|2|00|d|00|-|00|9|00|6|00|1|00|e|00|-|00|6|00|4|00|f|00|c|00|7|00|4|00|9|00|5|00|b|00|8|00|c|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00d\x003\x007\x000\x005\x00d\x003\x00-\x005\x003\x00b\x000\x00-\x004\x00d\x002\x00d\x00-\x009\x006\x001\x00e\x00-\x006\x004\x00f\x00c\x007\x004\x009\x005\x00b\x008\x00c\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14515 WEB-ACTIVEX VMClientVM Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VMClientVM"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VMClientVM\x22|\x27vmdbCOM\.VMClientVM\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VMClientVM\x22|\x27vmdbCOM\.VMClientVM\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14516 WEB-ACTIVEX VMClientVM Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|C|00|l|00|i|00|e|00|n|00|t|00|V|00|M|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00C\x00l\x00i\x00e\x00n\x00t\x00V\x00M\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14517 WEB-ACTIVEX VMClientVM Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"deab0eb8-05d4-49b5-a9c6-31b031d26d99"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*deab0eb8-05d4-49b5-a9c6-31b031d26d99\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14518 WEB-ACTIVEX VMWare unspecified 21 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|e|00|a|00|b|00|0|00|e|00|b|00|8|00|-|00|0|00|5|00|d|00|4|00|-|00|4|00|9|00|b|00|5|00|-|00|a|00|9|00|c|00|6|00|-|00|3|00|1|00|b|00|0|00|3|00|1|00|d|00|2|00|6|00|d|00|9|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00e\x00a\x00b\x000\x00e\x00b\x008\x00-\x000\x005\x00d\x004\x00-\x004\x009\x00b\x005\x00-\x00a\x009\x00c\x006\x00-\x003\x001\x00b\x000\x003\x001\x00d\x002\x006\x00d\x009\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14519 WEB-ACTIVEX VMWare unspecified 21 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DFC76A6B-4873-458C-AB00-40B1FC028001"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DFC76A6B-4873-458C-AB00-40B1FC028001\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14520 WEB-ACTIVEX Elevated.VMXCreator ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|F|00|C|00|7|00|6|00|A|00|6|00|B|00|-|00|4|00|8|00|7|00|3|00|-|00|4|00|5|00|8|00|C|00|-|00|A|00|B|00|0|00|0|00|-|00|4|00|0|00|B|00|1|00|F|00|C|00|0|00|2|00|8|00|0|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00F\x00C\x007\x006\x00A\x006\x00B\x00-\x004\x008\x007\x003\x00-\x004\x005\x008\x00C\x00-\x00A\x00B\x000\x000\x00-\x004\x000\x00B\x001\x00F\x00C\x000\x002\x008\x000\x000\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14521 WEB-ACTIVEX Elevated.VMXCreator ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Elevated.VMXCreator"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Elevated\.VMXCreator\x22|\x27Elevated\.VMXCreator\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Elevated\.VMXCreator\x22|\x27Elevated\.VMXCreator\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14522 WEB-ACTIVEX Elevated.VMXCreator ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|l|00|e|00|v|00|a|00|t|00|e|00|d|00|.|00|V|00|M|00|X|00|C|00|r|00|e|00|a|00|t|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00V\x00M\x00X\x00C\x00r\x00e\x00a\x00t\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)E\x00l\x00e\x00v\x00a\x00t\x00e\x00d\x00.\x00V\x00M\x00X\x00C\x00r\x00e\x00a\x00t\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14523 WEB-ACTIVEX Elevated.VMXCreator ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"dfd8b167-5652-4962-a162-9a227825afaa"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dfd8b167-5652-4962-a162-9a227825afaa\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14524 WEB-ACTIVEX VMWare unspecified 22 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|f|00|d|00|8|00|b|00|1|00|6|00|7|00|-|00|5|00|6|00|5|00|2|00|-|00|4|00|9|00|6|00|2|00|-|00|a|00|1|00|6|00|2|00|-|00|9|00|a|00|2|00|2|00|7|00|8|00|2|00|5|00|a|00|f|00|a|00|a|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00f\x00d\x008\x00b\x001\x006\x007\x00-\x005\x006\x005\x002\x00-\x004\x009\x006\x002\x00-\x00a\x001\x006\x002\x00-\x009\x00a\x002\x002\x007\x008\x002\x005\x00a\x00f\x00a\x00a\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14525 WEB-ACTIVEX VMWare unspecified 22 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"dfef4b09-1b0a-4529-9775-ac437d6a93b3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dfef4b09-1b0a-4529-9775-ac437d6a93b3\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14526 WEB-ACTIVEX HotfixWz Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|f|00|e|00|f|00|4|00|b|00|0|00|9|00|-|00|1|00|b|00|0|00|a|00|-|00|4|00|5|00|2|00|9|00|-|00|9|00|7|00|7|00|5|00|-|00|a|00|c|00|4|00|3|00|7|00|d|00|6|00|a|00|9|00|3|00|b|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00f\x00e\x00f\x004\x00b\x000\x009\x00-\x001\x00b\x000\x00a\x00-\x004\x005\x002\x009\x00-\x009\x007\x007\x005\x00-\x00a\x00c\x004\x003\x007\x00d\x006\x00a\x009\x003\x00b\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14527 WEB-ACTIVEX HotfixWz Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappcfg.HotfixWz"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappcfg\.HotfixWz\x22|\x27vmappcfg\.HotfixWz\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappcfg\.HotfixWz\x22|\x27vmappcfg\.HotfixWz\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14528 WEB-ACTIVEX HotfixWz Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|c|00|f|00|g|00|.|00|H|00|o|00|t|00|f|00|i|00|x|00|W|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00c\x00f\x00g\x00.\x00H\x00o\x00t\x00f\x00i\x00x\x00W\x00z\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00c\x00f\x00g\x00.\x00H\x00o\x00t\x00f\x00i\x00x\x00W\x00z\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14529 WEB-ACTIVEX HotfixWz Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"dff44aec-2370-469d-8a22-df82448bff64"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*dff44aec-2370-469d-8a22-df82448bff64\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14530 WEB-ACTIVEX VmdbUpdates Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|f|00|f|00|4|00|4|00|a|00|e|00|c|00|-|00|2|00|3|00|7|00|0|00|-|00|4|00|6|00|9|00|d|00|-|00|8|00|a|00|2|00|2|00|-|00|d|00|f|00|8|00|2|00|4|00|4|00|8|00|b|00|f|00|f|00|6|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*d\x00f\x00f\x004\x004\x00a\x00e\x00c\x00-\x002\x003\x007\x000\x00-\x004\x006\x009\x00d\x00-\x008\x00a\x002\x002\x00-\x00d\x00f\x008\x002\x004\x004\x008\x00b\x00f\x00f\x006\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14531 WEB-ACTIVEX VmdbUpdates Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmdbCOM.VmdbUpdates"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmdbCOM\.VmdbUpdates\x22|\x27vmdbCOM\.VmdbUpdates\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmdbCOM\.VmdbUpdates\x22|\x27vmdbCOM\.VmdbUpdates\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14532 WEB-ACTIVEX VmdbUpdates Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|U|00|p|00|d|00|a|00|t|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00U\x00p\x00d\x00a\x00t\x00e\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14533 WEB-ACTIVEX VmdbUpdates Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e2d82f32-b4b0-4763-80d6-87323173d571"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e2d82f32-b4b0-4763-80d6-87323173d571\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14534 WEB-ACTIVEX VMListCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|2|00|d|00|8|00|2|00|f|00|3|00|2|00|-|00|b|00|4|00|b|00|0|00|-|00|4|00|7|00|6|00|3|00|-|00|8|00|0|00|d|00|6|00|-|00|8|00|7|00|3|00|2|00|3|00|1|00|7|00|3|00|d|00|5|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x002\x00d\x008\x002\x00f\x003\x002\x00-\x00b\x004\x00b\x000\x00-\x004\x007\x006\x003\x00-\x008\x000\x00d\x006\x00-\x008\x007\x003\x002\x003\x001\x007\x003\x00d\x005\x007\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14535 WEB-ACTIVEX VMListCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VMListCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VMListCtl\x22|\x27Vmappsdk\.VMListCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VMListCtl\x22|\x27Vmappsdk\.VMListCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14536 WEB-ACTIVEX VMListCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|M|00|L|00|i|00|s|00|t|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14537 WEB-ACTIVEX VMListCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e3aa8d10-02e2-4615-b524-908a3b8716e9"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e3aa8d10-02e2-4615-b524-908a3b8716e9\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14538 WEB-ACTIVEX CheckedListViewWnd Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|3|00|a|00|a|00|8|00|d|00|1|00|0|00|-|00|0|00|2|00|e|00|2|00|-|00|4|00|6|00|1|00|5|00|-|00|b|00|5|00|2|00|4|00|-|00|9|00|0|00|8|00|a|00|3|00|b|00|8|00|7|00|1|00|6|00|e|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x003\x00a\x00a\x008\x00d\x001\x000\x00-\x000\x002\x00e\x002\x00-\x004\x006\x001\x005\x00-\x00b\x005\x002\x004\x00-\x009\x000\x008\x00a\x003\x00b\x008\x007\x001\x006\x00e\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14539 WEB-ACTIVEX CheckedListViewWnd Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.CheckedListViewWnd"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.CheckedListViewWnd\x22|\x27Vmappsdk\.CheckedListViewWnd\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.CheckedListViewWnd\x22|\x27Vmappsdk\.CheckedListViewWnd\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14540 WEB-ACTIVEX CheckedListViewWnd Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|C|00|h|00|e|00|c|00|k|00|e|00|d|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|W|00|n|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00h\x00e\x00c\x00k\x00e\x00d\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00h\x00e\x00c\x00k\x00e\x00d\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x00W\x00n\x00d\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14541 WEB-ACTIVEX CheckedListViewWnd Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e54b2aa7-52ab-431c-a1fa-3f807ee3578d"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e54b2aa7-52ab-431c-a1fa-3f807ee3578d\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14542 WEB-ACTIVEX VMWare unspecified 23 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|5|00|4|00|b|00|2|00|a|00|a|00|7|00|-|00|5|00|2|00|a|00|b|00|-|00|4|00|3|00|1|00|c|00|-|00|a|00|1|00|f|00|a|00|-|00|3|00|f|00|8|00|0|00|7|00|e|00|e|00|3|00|5|00|7|00|8|00|d|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x005\x004\x00b\x002\x00a\x00a\x007\x00-\x005\x002\x00a\x00b\x00-\x004\x003\x001\x00c\x00-\x00a\x001\x00f\x00a\x00-\x003\x00f\x008\x000\x007\x00e\x00e\x003\x005\x007\x008\x00d\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14543 WEB-ACTIVEX VMWare unspecified 23 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e669547d-ae52-459f-9c07-cc5f17b4b16f"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*e669547d-ae52-459f-9c07-cc5f17b4b16f\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14544 WEB-ACTIVEX VmdbTreeCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|6|00|6|00|9|00|5|00|4|00|7|00|d|00|-|00|a|00|e|00|5|00|2|00|-|00|4|00|5|00|9|00|f|00|-|00|9|00|c|00|0|00|7|00|-|00|c|00|c|00|5|00|f|00|1|00|7|00|b|00|4|00|b|00|1|00|6|00|f|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x006\x006\x009\x005\x004\x007\x00d\x00-\x00a\x00e\x005\x002\x00-\x004\x005\x009\x00f\x00-\x009\x00c\x000\x007\x00-\x00c\x00c\x005\x00f\x001\x007\x00b\x004\x00b\x001\x006\x00f\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14545 WEB-ACTIVEX VmdbTreeCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.vmdbTreeCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.vmdbTreeCtl\x22|\x27vmappsdk\.vmdbTreeCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.vmdbTreeCtl\x22|\x27vmappsdk\.vmdbTreeCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14546 WEB-ACTIVEX VmdbTreeCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|v|00|m|00|d|00|b|00|T|00|r|00|e|00|e|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00v\x00m\x00d\x00b\x00T\x00r\x00e\x00e\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00v\x00m\x00d\x00b\x00T\x00r\x00e\x00e\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14547 WEB-ACTIVEX VmdbTreeCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"eb80211b-ef44-463c-adab-b75ccd68c163"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*eb80211b-ef44-463c-adab-b75ccd68c163\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14548 WEB-ACTIVEX Nwz Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|b|00|8|00|0|00|2|00|1|00|1|00|b|00|-|00|e|00|f|00|4|00|4|00|-|00|4|00|6|00|3|00|c|00|-|00|a|00|d|00|a|00|b|00|-|00|b|00|7|00|5|00|c|00|c|00|d|00|6|00|8|00|c|00|1|00|6|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00b\x008\x000\x002\x001\x001\x00b\x00-\x00e\x00f\x004\x004\x00-\x004\x006\x003\x00c\x00-\x00a\x00d\x00a\x00b\x00-\x00b\x007\x005\x00c\x00c\x00d\x006\x008\x00c\x001\x006\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14549 WEB-ACTIVEX Nwz Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmhwcfg.Nwz"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmhwcfg\.Nwz\x22|\x27vmhwcfg\.Nwz\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmhwcfg\.Nwz\x22|\x27vmhwcfg\.Nwz\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14550 WEB-ACTIVEX Nwz Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|h|00|w|00|c|00|f|00|g|00|.|00|N|00|w|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00h\x00w\x00c\x00f\x00g\x00.\x00N\x00w\x00z\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14551 WEB-ACTIVEX Nwz Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EBA250D3-CEE2-4185-8563-1080F50BB733"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EBA250D3-CEE2-4185-8563-1080F50BB733\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14552 WEB-ACTIVEX Vmc2vmx.CoVPCDrives ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|B|00|A|00|2|00|5|00|0|00|D|00|3|00|-|00|C|00|E|00|E|00|2|00|-|00|4|00|1|00|8|00|5|00|-|00|8|00|5|00|6|00|3|00|-|00|1|00|0|00|8|00|0|00|F|00|5|00|0|00|B|00|B|00|7|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x00B\x00A\x002\x005\x000\x00D\x003\x00-\x00C\x00E\x00E\x002\x00-\x004\x001\x008\x005\x00-\x008\x005\x006\x003\x00-\x001\x000\x008\x000\x00F\x005\x000\x00B\x00B\x007\x003\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14553 WEB-ACTIVEX Vmc2vmx.CoVPCDrives ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmc2vmx.CoVPCDrives"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmc2vmx\.CoVPCDrives\x22|\x27Vmc2vmx\.CoVPCDrives\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmc2vmx\.CoVPCDrives\x22|\x27Vmc2vmx\.CoVPCDrives\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14554 WEB-ACTIVEX Vmc2vmx.CoVPCDrives ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|c|00|2|00|v|00|m|00|x|00|.|00|C|00|o|00|V|00|P|00|C|00|D|00|r|00|i|00|v|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00s\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00c\x002\x00v\x00m\x00x\x00.\x00C\x00o\x00V\x00P\x00C\x00D\x00r\x00i\x00v\x00e\x00s\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14555 WEB-ACTIVEX Vmc2vmx.CoVPCDrives ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ec24c86e-34dd-45f3-928d-ecb7c2b3afb4"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ec24c86e-34dd-45f3-928d-ecb7c2b3afb4\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14556 WEB-ACTIVEX MksCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|c|00|2|00|4|00|c|00|8|00|6|00|e|00|-|00|3|00|4|00|d|00|d|00|-|00|4|00|5|00|f|00|3|00|-|00|9|00|2|00|8|00|d|00|-|00|e|00|c|00|b|00|7|00|c|00|2|00|b|00|3|00|a|00|f|00|b|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00c\x002\x004\x00c\x008\x006\x00e\x00-\x003\x004\x00d\x00d\x00-\x004\x005\x00f\x003\x00-\x009\x002\x008\x00d\x00-\x00e\x00c\x00b\x007\x00c\x002\x00b\x003\x00a\x00f\x00b\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14557 WEB-ACTIVEX MksCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vmappsdk.MksCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22vmappsdk\.MksCtl\x22|\x27vmappsdk\.MksCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vmappsdk\.MksCtl\x22|\x27vmappsdk\.MksCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14558 WEB-ACTIVEX MksCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|M|00|k|00|s|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)v\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00M\x00k\x00s\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14559 WEB-ACTIVEX MksCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ec891881-be63-45cf-97c9-34615aa209c1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*ec891881-be63-45cf-97c9-34615aa209c1\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14560 WEB-ACTIVEX VmappPropPath Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|c|00|8|00|9|00|1|00|8|00|8|00|1|00|-|00|b|00|e|00|6|00|3|00|-|00|4|00|5|00|c|00|f|00|-|00|9|00|7|00|c|00|9|00|-|00|3|00|4|00|6|00|1|00|5|00|a|00|a|00|2|00|0|00|9|00|c|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00c\x008\x009\x001\x008\x008\x001\x00-\x00b\x00e\x006\x003\x00-\x004\x005\x00c\x00f\x00-\x009\x007\x00c\x009\x00-\x003\x004\x006\x001\x005\x00a\x00a\x002\x000\x009\x00c\x001\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14561 WEB-ACTIVEX VmappPropPath Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.VmappPropPath"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.VmappPropPath\x22|\x27Vmappsdk\.VmappPropPath\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.VmappPropPath\x22|\x27Vmappsdk\.VmappPropPath\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14562 WEB-ACTIVEX VmappPropPath Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|V|00|m|00|a|00|p|00|p|00|P|00|r|00|o|00|p|00|P|00|a|00|t|00|h|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00P\x00a\x00t\x00h\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00V\x00m\x00a\x00p\x00p\x00P\x00r\x00o\x00p\x00P\x00a\x00t\x00h\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14563 WEB-ACTIVEX VmappPropPath Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"edaf3a1f-942e-4062-89b0-5276060dff93"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*edaf3a1f-942e-4062-89b0-5276060dff93\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14564 WEB-ACTIVEX VMWare unspecified 24 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|d|00|a|00|f|00|3|00|a|00|1|00|f|00|-|00|9|00|4|00|2|00|e|00|-|00|4|00|0|00|6|00|2|00|-|00|8|00|9|00|b|00|0|00|-|00|5|00|2|00|7|00|6|00|0|00|6|00|0|00|d|00|f|00|f|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00d\x00a\x00f\x003\x00a\x001\x00f\x00-\x009\x004\x002\x00e\x00-\x004\x000\x006\x002\x00-\x008\x009\x00b\x000\x00-\x005\x002\x007\x006\x000\x006\x000\x00d\x00f\x00f\x009\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14565 WEB-ACTIVEX VMWare unspecified 24 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"edc2cfe2-97c9-41c3-80e9-9bb55b5a1ade"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*edc2cfe2-97c9-41c3-80e9-9bb55b5a1ade\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14566 WEB-ACTIVEX PolicyCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|d|00|c|00|2|00|c|00|f|00|e|00|2|00|-|00|9|00|7|00|c|00|9|00|-|00|4|00|1|00|c|00|3|00|-|00|8|00|0|00|e|00|9|00|-|00|9|00|b|00|b|00|5|00|5|00|b|00|5|00|a|00|1|00|a|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*e\x00d\x00c\x002\x00c\x00f\x00e\x002\x00-\x009\x007\x00c\x009\x00-\x004\x001\x00c\x003\x00-\x008\x000\x00e\x009\x00-\x009\x00b\x00b\x005\x005\x00b\x005\x00a\x001\x00a\x00d\x00e\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14567 WEB-ACTIVEX PolicyCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.PolicyCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.PolicyCtl\x22|\x27Vmappsdk\.PolicyCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.PolicyCtl\x22|\x27Vmappsdk\.PolicyCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14568 WEB-ACTIVEX PolicyCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|P|00|o|00|l|00|i|00|c|00|y|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00P\x00o\x00l\x00i\x00c\x00y\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00P\x00o\x00l\x00i\x00c\x00y\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14569 WEB-ACTIVEX PolicyCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f1bee71f-bf84-4a3c-a967-f1c9d21c6100"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*f1bee71f-bf84-4a3c-a967-f1c9d21c6100\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14570 WEB-ACTIVEX VmdbParseError Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|1|00|b|00|e|00|e|00|7|00|1|00|f|00|-|00|b|00|f|00|8|00|4|00|-|00|4|00|a|00|3|00|c|00|-|00|a|00|9|00|6|00|7|00|-|00|f|00|1|00|c|00|9|00|d|00|2|00|1|00|c|00|6|00|1|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x001\x00b\x00e\x00e\x007\x001\x00f\x00-\x00b\x00f\x008\x004\x00-\x004\x00a\x003\x00c\x00-\x00a\x009\x006\x007\x00-\x00f\x001\x00c\x009\x00d\x002\x001\x00c\x006\x001\x000\x000\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14571 WEB-ACTIVEX VmdbParseError Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VmdbCOM.VmdbParseError"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VmdbCOM\.VmdbParseError\x22|\x27VmdbCOM\.VmdbParseError\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VmdbParseError\x22|\x27VmdbCOM\.VmdbParseError\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14572 WEB-ACTIVEX VmdbParseError Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|m|00|d|00|b|00|P|00|a|00|r|00|s|00|e|00|E|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00P\x00a\x00r\x00s\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00m\x00d\x00b\x00P\x00a\x00r\x00s\x00e\x00E\x00r\x00r\x00o\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14573 WEB-ACTIVEX VmdbParseError Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f665fa34-efa7-4dff-bee6-ad27fa396c2b"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*f665fa34-efa7-4dff-bee6-ad27fa396c2b\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14574 WEB-ACTIVEX NavigationCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|6|00|6|00|5|00|f|00|a|00|3|00|4|00|-|00|e|00|f|00|a|00|7|00|-|00|4|00|d|00|f|00|f|00|-|00|b|00|e|00|e|00|6|00|-|00|a|00|d|00|2|00|7|00|f|00|a|00|3|00|9|00|6|00|c|00|2|00|b|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x006\x006\x005\x00f\x00a\x003\x004\x00-\x00e\x00f\x00a\x007\x00-\x004\x00d\x00f\x00f\x00-\x00b\x00e\x00e\x006\x00-\x00a\x00d\x002\x007\x00f\x00a\x003\x009\x006\x00c\x002\x00b\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14575 WEB-ACTIVEX NavigationCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.NavigationCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.NavigationCtl\x22|\x27Vmappsdk\.NavigationCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.NavigationCtl\x22|\x27Vmappsdk\.NavigationCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14576 WEB-ACTIVEX NavigationCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|N|00|a|00|v|00|i|00|g|00|a|00|t|00|i|00|o|00|n|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00N\x00a\x00v\x00i\x00g\x00a\x00t\x00i\x00o\x00n\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00N\x00a\x00v\x00i\x00g\x00a\x00t\x00i\x00o\x00n\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14577 WEB-ACTIVEX NavigationCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f76e4799-379b-4362-bcc4-68b753d10744"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*f76e4799-379b-4362-bcc4-68b753d10744\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14578 WEB-ACTIVEX VMList Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|7|00|6|00|e|00|4|00|7|00|9|00|9|00|-|00|3|00|7|00|9|00|b|00|-|00|4|00|3|00|6|00|2|00|-|00|b|00|c|00|c|00|4|00|-|00|6|00|8|00|b|00|7|00|5|00|3|00|d|00|1|00|0|00|7|00|4|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x007\x006\x00e\x004\x007\x009\x009\x00-\x003\x007\x009\x00b\x00-\x004\x003\x006\x002\x00-\x00b\x00c\x00c\x004\x00-\x006\x008\x00b\x007\x005\x003\x00d\x001\x000\x007\x004\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14579 WEB-ACTIVEX VMList Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VmdbCOM.VMList"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VmdbCOM\.VMList\x22|\x27VmdbCOM\.VMList\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmdbCOM\.VMList\x22|\x27VmdbCOM\.VMList\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14580 WEB-ACTIVEX VMList Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|d|00|b|00|C|00|O|00|M|00|.|00|V|00|M|00|L|00|i|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00d\x00b\x00C\x00O\x00M\x00.\x00V\x00M\x00L\x00i\x00s\x00t\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14581 WEB-ACTIVEX VMList Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"fcac0ad0-ff50-4dba-8c79-f17102e15c02"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*fcac0ad0-ff50-4dba-8c79-f17102e15c02\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14582 WEB-ACTIVEX VMWare unspecified 25 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|c|00|a|00|c|00|0|00|a|00|d|00|0|00|-|00|f|00|f|00|5|00|0|00|-|00|4|00|d|00|b|00|a|00|-|00|8|00|c|00|7|00|9|00|-|00|f|00|1|00|7|00|1|00|0|00|2|00|e|00|1|00|5|00|c|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x00c\x00a\x00c\x000\x00a\x00d\x000\x00-\x00f\x00f\x005\x000\x00-\x004\x00d\x00b\x00a\x00-\x008\x00c\x007\x009\x00-\x00f\x001\x007\x001\x000\x002\x00e\x001\x005\x00c\x000\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14583 WEB-ACTIVEX VMWare unspecified 25 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"fd1e7da6-fbda-49aa-9488-4a1fc2ec7826"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*fd1e7da6-fbda-49aa-9488-4a1fc2ec7826\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14584 WEB-ACTIVEX VMWare unspecified 26 ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|d|00|1|00|e|00|7|00|d|00|a|00|6|00|-|00|f|00|b|00|d|00|a|00|-|00|4|00|9|00|a|00|a|00|-|00|9|00|4|00|8|00|8|00|-|00|4|00|a|00|1|00|f|00|c|00|2|00|e|00|c|00|7|00|8|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x00d\x001\x00e\x007\x00d\x00a\x006\x00-\x00f\x00b\x00d\x00a\x00-\x004\x009\x00a\x00a\x00-\x009\x004\x008\x008\x00-\x004\x00a\x001\x00f\x00c\x002\x00e\x00c\x007\x008\x002\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14585 WEB-ACTIVEX VMWare unspecified 26 ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"fd99f74c-9d06-415e-8c60-a249d16f1d77"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*fd99f74c-9d06-415e-8c60-a249d16f1d77\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14586 WEB-ACTIVEX CurrentVMCtl Class ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|d|00|9|00|9|00|f|00|7|00|4|00|c|00|-|00|9|00|d|00|0|00|6|00|-|00|4|00|1|00|5|00|e|00|-|00|8|00|c|00|6|00|0|00|-|00|a|00|2|00|4|00|9|00|d|00|1|00|6|00|f|00|1|00|d|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*f\x00d\x009\x009\x00f\x007\x004\x00c\x00-\x009\x00d\x000\x006\x00-\x004\x001\x005\x00e\x00-\x008\x00c\x006\x000\x00-\x00a\x002\x004\x009\x00d\x001\x006\x00f\x001\x00d\x007\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14587 WEB-ACTIVEX CurrentVMCtl Class ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Vmappsdk.CurrentVMCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Vmappsdk\.CurrentVMCtl\x22|\x27Vmappsdk\.CurrentVMCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Vmappsdk\.CurrentVMCtl\x22|\x27Vmappsdk\.CurrentVMCtl\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14588 WEB-ACTIVEX CurrentVMCtl Class ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|a|00|p|00|p|00|s|00|d|00|k|00|.|00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|M|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00r\x00r\x00e\x00n\x00t\x00V\x00M\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00a\x00p\x00p\x00s\x00d\x00k\x00.\x00C\x00u\x00r\x00r\x00e\x00n\x00t\x00V\x00M\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14589 WEB-ACTIVEX CurrentVMCtl Class ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FDE6485C-53E6-4E1F-BBFD-12D92384ECD2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDE6485C-53E6-4E1F-BBFD-12D92384ECD2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14590 WEB-ACTIVEX VhdCvtCom.DiskLibHelper ActiveX clsid access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|D|00|E|00|6|00|4|00|8|00|5|00|C|00|-|00|5|00|3|00|E|00|6|00|-|00|4|00|E|00|1|00|F|00|-|00|B|00|B|00|F|00|D|00|-|00|1|00|2|00|D|00|9|00|2|00|3|00|8|00|4|00|E|00|C|00|D|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00D\x00E\x006\x004\x008\x005\x00C\x00-\x005\x003\x00E\x006\x00-\x004\x00E\x001\x00F\x00-\x00B\x00B\x00F\x00D\x00-\x001\x002\x00D\x009\x002\x003\x008\x004\x00E\x00C\x00D\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14591 WEB-ACTIVEX VhdCvtCom.DiskLibHelper ActiveX clsid unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VhdCvtCom.DiskLibHelper"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VhdCvtCom\.DiskLibHelper\x22|\x27VhdCvtCom\.DiskLibHelper\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VhdCvtCom\.DiskLibHelper\x22|\x27VhdCvtCom\.DiskLibHelper\x27)\s*\)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14592 WEB-ACTIVEX VhdCvtCom.DiskLibHelper ActiveX function call access www.vmware.com/security/advisories/VMSA-2008-0014.html 30934 attempted-user 2008-3696 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|h|00|d|00|C|00|v|00|t|00|C|00|o|00|m|00|.|00|D|00|i|00|s|00|k|00|L|00|i|00|b|00|H|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)V\x00h\x00d\x00C\x00v\x00t\x00C\x00o\x00m\x00.\x00D\x00i\x00s\x00k\x00L\x00i\x00b\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14593 WEB-ACTIVEX VhdCvtCom.DiskLibHelper ActiveX function call unicode access www.vmware.com/security/advisories/VMSA-2008-0014.html 31096 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2BCEAECE-6121-4E78-816C-8CD3121361B0"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2BCEAECE-6121-4E78-816C-8CD3121361B0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ExecutePreferredApplication)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2BCEAECE-6121-4E78-816C-8CD3121361B0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(ExecutePreferredApplication))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14594 WEB-ACTIVEX Peachtree Accounting 2004 ActiveX clsid access 31096 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|B|00|C|00|E|00|A|00|E|00|C|00|E|00|-|00|6|00|1|00|2|00|1|00|-|00|4|00|E|00|7|00|8|00|-|00|8|00|1|00|6|00|C|00|-|00|8|00|C|00|D|00|3|00|1|00|2|00|1|00|3|00|6|00|1|00|B|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00B\x00C\x00E\x00A\x00E\x00C\x00E\x00-\x006\x001\x002\x001\x00-\x004\x00E\x007\x008\x00-\x008\x001\x006\x00C\x00-\x008\x00C\x00D\x003\x001\x002\x001\x003\x006\x001\x00B\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14595 WEB-ACTIVEX Peachtree Accounting 2004 ActiveX clsid unicode access 31200 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C945E31A-102E-4A0D-8854-D599D7AED5FA"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C945E31A-102E-4A0D-8854-D599D7AED5FA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Archive)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C945E31A-102E-4A0D-8854-D599D7AED5FA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Archive))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14596 WEB-ACTIVEX ComponentOne VSFlexGrid ActiveX clsid access 31200 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|9|00|4|00|5|00|E|00|3|00|1|00|A|00|-|00|1|00|0|00|2|00|E|00|-|00|4|00|A|00|0|00|D|00|-|00|8|00|8|00|5|00|4|00|-|00|D|00|5|00|9|00|9|00|D|00|7|00|A|00|E|00|D|00|5|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x009\x004\x005\x00E\x003\x001\x00A\x00-\x001\x000\x002\x00E\x00-\x004\x00A\x000\x00D\x00-\x008\x008\x005\x004\x00-\x00D\x005\x009\x009\x00D\x007\x00A\x00E\x00D\x005\x00F\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14597 WEB-ACTIVEX ComponentOne VSFlexGrid ActiveX clsid unicode access 31200 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VSFlexGrid8.VSFlexGridADO"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VSFlexGrid8\.VSFlexGridADO\x22|\x27VSFlexGrid8\.VSFlexGridADO\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Archive\s*|.*(?P=v)\s*\.\s*Archive\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSFlexGrid8\.VSFlexGridADO\x22|\x27VSFlexGrid8\.VSFlexGridADO\x27)\s*\)(\s*\.\s*Archive\s*|.*(?P=n)\s*\.\s*Archive\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14598 WEB-ACTIVEX ComponentOne VSFlexGrid ActiveX function call access 31200 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|8|00|.|00|V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|A|00|D|00|O|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x008\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00A\x00D\x00O\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x008\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00A\x00D\x00O\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14599 WEB-ACTIVEX ComponentOne VSFlexGrid ActiveX function call unicode access 31227 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8569D715-FF88-44BA-8D1D-AD3E59543DDE"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8569D715-FF88-44BA-8D1D-AD3E59543DDE\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8569D715-FF88-44BA-8D1D-AD3E59543DDE\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Pages.Save|PrintReport|Canvas.Save))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14603 WEB-ACTIVEX Data Dynamics ActiveReport ARViewer2 ActiveX clsid access 31227 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|5|00|6|00|9|00|D|00|7|00|1|00|5|00|-|00|F|00|F|00|8|00|8|00|-|00|4|00|4|00|B|00|A|00|-|00|8|00|D|00|1|00|D|00|-|00|A|00|D|00|3|00|E|00|5|00|9|00|5|00|4|00|3|00|D|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x005\x006\x009\x00D\x007\x001\x005\x00-\x00F\x00F\x008\x008\x00-\x004\x004\x00B\x00A\x00-\x008\x00D\x001\x00D\x00-\x00A\x00D\x003\x00E\x005\x009\x005\x004\x003\x00D\x00D\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14604 WEB-ACTIVEX Data Dynamics ActiveReport ARViewer2 ActiveX clsid unicode access 31227 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DDActiveReportsViewer2.ARViewer2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DDActiveReportsViewer2\.ARViewer2\x22|\x27DDActiveReportsViewer2\.ARViewer2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*|.*(?P=v)\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DDActiveReportsViewer2\.ARViewer2\x22|\x27DDActiveReportsViewer2\.ARViewer2\x27)\s*\)(\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*|.*(?P=n)\s*\.\s*(Pages.Save|PrintReport|Canvas.Save)\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14605 WEB-ACTIVEX Data Dynamics ActiveReport ARViewer2 ActiveX function call access 31227 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|D|00|A|00|c|00|t|00|i|00|v|00|e|00|R|00|e|00|p|00|o|00|r|00|t|00|s|00|V|00|i|00|e|00|w|00|e|00|r|00|2|00|.|00|A|00|R|00|V|00|i|00|e|00|w|00|e|00|r|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)D\x00D\x00A\x00c\x00t\x00i\x00v\x00e\x00R\x00e\x00p\x00o\x00r\x00t\x00s\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00.\x00A\x00R\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)D\x00D\x00A\x00c\x00t\x00i\x00v\x00e\x00R\x00e\x00p\x00o\x00r\x00t\x00s\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00.\x00A\x00R\x00V\x00i\x00e\x00w\x00e\x00r\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14606 WEB-ACTIVEX Data Dynamics ActiveReport ARViewer2 ActiveX function call unicode access 23635 attempted-admin 2007-2139 tcp $EXTERNAL_NET any -> $HOME_NET [1024:] flow:to_server,established; dsize:>61; content:"|00 06 09|~"; depth:4; offset:16; pcre:"/^.{4}\x00\x00\x00(\xF0|\xEF|\xF5).{36}/smiR"; pcre:!"/^_[^_]{1,64}_[^_]{1,64}_/smiR"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 14607 EXPLOIT CA Brightstor SUN RPC malformed string buffer overflow attempt 30934 attempted-user 2008-3892 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"38DB77F9-058D-4955-98AA-4A9F3B6A5B06"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GuestInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*38DB77F9-058D-4955-98AA-4A9F3B6A5B06\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GuestInfo))\s*\(/Osi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14611 WEB-ACTIVEX VMWare VMCtl Class ActiveX clsid access 30934 attempted-user 2008-3892 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|8|00|D|00|B|00|7|00|7|00|F|00|9|00|-|00|0|00|5|00|8|00|D|00|-|00|4|00|9|00|5|00|5|00|-|00|9|00|8|00|A|00|A|00|-|00|4|00|A|00|9|00|F|00|3|00|B|00|6|00|A|00|5|00|B|00|0|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x008\x00D\x00B\x007\x007\x00F\x009\x00-\x000\x005\x008\x00D\x00-\x004\x009\x005\x005\x00-\x009\x008\x00A\x00A\x00-\x004\x00A\x009\x00F\x003\x00B\x006\x00A\x005\x00B\x000\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14612 WEB-ACTIVEX VMWare VMCtl Class ActiveX clsid unicode access 30934 attempted-user 2008-3892 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VmCOM.VmCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VmCOM\.VmCtl\x22|\x27VmCOM\.VmCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GuestInfo\s*|.*(?P=v)\s*\.\s*GuestInfo\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VmCOM\.VmCtl\x22|\x27VmCOM\.VmCtl\x27)\s*\)(\s*\.\s*GuestInfo\s*|.*(?P=n)\s*\.\s*GuestInfo\s*)\s*\(/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14613 WEB-ACTIVEX VMWare VMCtl Class ActiveX function call access 30934 attempted-user 2008-3892 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|m|00|C|00|O|00|M|00|.|00|V|00|m|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00m\x00C\x00O\x00M\x00.\x00V\x00m\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00m\x00C\x00O\x00M\x00.\x00V\x00m\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14614 WEB-ACTIVEX VMWare VMCtl Class ActiveX function call unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"67A5F8DC-1A4B-4D66-9F24-A704AD929EEE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67A5F8DC-1A4B-4D66-9F24-A704AD929EEE\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14631 WEB-ACTIVEX SystemRequirementsLab ActiveX clsid access www.systemrequirementslab.com/bulletins/security_bulletin_1.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|A|00|5|00|F|00|8|00|D|00|C|00|-|00|1|00|A|00|4|00|B|00|-|00|4|00|D|00|6|00|6|00|-|00|9|00|F|00|2|00|4|00|-|00|A|00|7|00|0|00|4|00|A|00|D|00|9|00|2|00|9|00|E|00|E|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x007\x00A\x005\x00F\x008\x00D\x00C\x00-\x001\x00A\x004\x00B\x00-\x004\x00D\x006\x006\x00-\x009\x00F\x002\x004\x00-\x00A\x007\x000\x004\x00A\x00D\x009\x002\x009\x00E\x00E\x00E\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14632 WEB-ACTIVEX SystemRequirementsLab ActiveX clsid unicode access www.systemrequirementslab.com/bulletins/security_bulletin_1.html 29279 attempted-user 2008-0957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E48BB416-C578-4A62-84C9-5E3389ABE5FC"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E48BB416-C578-4A62-84C9-5E3389ABE5FC\s*}?\s*(?P=q3)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14633 WEB-ACTIVEX PhotoStockPlus ActiveX clsid access support.microsoft.com/kb/956391 29279 attempted-user 2008-0957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|4|00|8|00|B|00|B|00|4|00|1|00|6|00|-|00|C|00|5|00|7|00|8|00|-|00|4|00|A|00|6|00|2|00|-|00|8|00|4|00|C|00|9|00|-|00|5|00|E|00|3|00|3|00|8|00|9|00|A|00|B|00|E|00|5|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q4>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x004\x008\x00B\x00B\x004\x001\x006\x00-\x00C\x005\x007\x008\x00-\x004\x00A\x006\x002\x00-\x008\x004\x00C\x009\x00-\x005\x00E\x003\x003\x008\x009\x00A\x00B\x00E\x005\x00F\x00C\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14634 WEB-ACTIVEX PhotoStockPlus ActiveX clsid unicode access support.microsoft.com/kb/956391 attempted-user 2008-3015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FA91DF8D-53AB-455D-AB20-F2F023E498D3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA91DF8D-53AB-455D-AB20-F2F023E498D3\s*}?\s*(?P=q5)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14635 WEB-ACTIVEX Microsoft RSClientPrint ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms08-052.mspx attempted-user 2008-3015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|A|00|9|00|1|00|D|00|F|00|8|00|D|00|-|00|5|00|3|00|A|00|B|00|-|00|4|00|5|00|5|00|D|00|-|00|A|00|B|00|2|00|0|00|-|00|F|00|2|00|F|00|0|00|2|00|3|00|E|00|4|00|9|00|8|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x009\x001\x00D\x00F\x008\x00D\x00-\x005\x003\x00A\x00B\x00-\x004\x005\x005\x00D\x00-\x00A\x00B\x002\x000\x00-\x00F\x002\x00F\x000\x002\x003\x00E\x004\x009\x008\x00D\x003\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14636 WEB-ACTIVEX Microsoft RSClientPrint ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms08-052.mspx 31632 attempted-user 2008-4493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*507813C3-0B26-47AD-A8C0-D483C7A21FA7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddString|Post)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*507813C3-0B26-47AD-A8C0-D483C7A21FA7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddString|Post))\s*\(/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14637 WEB-ACTIVEX Microsoft PicturePusher ActiveX clsid access 31632 attempted-user 2008-4493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|0|00|7|00|8|00|1|00|3|00|C|00|3|00|-|00|0|00|B|00|2|00|6|00|-|00|4|00|7|00|A|00|D|00|-|00|A|00|8|00|C|00|0|00|-|00|D|00|4|00|8|00|3|00|C|00|7|00|A|00|2|00|1|00|F|00|A|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x000\x007\x008\x001\x003\x00C\x003\x00-\x000\x00B\x002\x006\x00-\x004\x007\x00A\x00D\x00-\x00A\x008\x00C\x000\x00-\x00D\x004\x008\x003\x00C\x007\x00A\x002\x001\x00F\x00A\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14638 WEB-ACTIVEX Microsoft PicturePusher ActiveX clsid unicode access 31632 attempted-user 2008-4493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Microsoft.DIG.PicturePusherControl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Microsoft\.DIG\.PicturePusherControl\x22|\x27Microsoft\.DIG\.PicturePusherControl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AddString|Post)\s*|.*(?P=v)\s*\.\s*(AddString|Post)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Microsoft\.DIG\.PicturePusherControl\x22|\x27Microsoft\.DIG\.PicturePusherControl\x27)\s*\)(\s*\.\s*(AddString|Post)\s*|.*(?P=n)\s*\.\s*(AddString|Post)\s*)\s*\(/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14639 WEB-ACTIVEX Microsoft PicturePusher ActiveX function call access 31632 attempted-user 2008-4493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|D|00|I|00|G|00|.|00|P|00|i|00|c|00|t|00|u|00|r|00|e|00|P|00|u|00|s|00|h|00|e|00|r|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00D\x00I\x00G\x00.\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00P\x00u\x00s\x00h\x00e\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00D\x00I\x00G\x00.\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00P\x00u\x00s\x00h\x00e\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14640 WEB-ACTIVEX Microsoft PicturePusher ActiveX function call unicode access protocol-command-decode 2008-4038 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14647, service netbios-dgm, policy balanced-ips drop, policy security-ips drop; 14647 NETBIOS-DG SMB Search Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14648, service netbios-dgm, policy balanced-ips drop, policy security-ips drop; 14648 NETBIOS-DG SMB Search unicode Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14649, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 14649 NETBIOS SMB Search Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14650, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 14650 NETBIOS SMB Search unicode Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14651, service netbios-dgm, policy balanced-ips drop, policy security-ips drop; 14651 NETBIOS-DG SMB Search andx Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14652, service netbios-dgm, policy balanced-ips drop, policy security-ips drop; 14652 NETBIOS-DG SMB Search unicode andx Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14653, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 14653 NETBIOS SMB Search andx Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-4038 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14654, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 14654 NETBIOS SMB Search unicode andx Search filename size integer underflow attempt www.microsoft.com/technet/security/bulletin/MS08-063.mspx protocol-command-decode 2008-1446 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; flowbits:set,dce.spoolss.4.call; flowbits:noalert; metadata: engine shared, soid 3|14661, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 14661 NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14709, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14709 NETBIOS SMB spoolss EnumJobs response WriteAndX unicode little endian attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14711, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14711 NETBIOS SMB spoolss EnumJobs response little endian attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14712, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14712 NETBIOS SMB spoolss EnumJobs response WriteAndX little endian attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14713, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14713 NETBIOS SMB spoolss EnumJobs response attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14714, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14714 NETBIOS SMB spoolss EnumJobs response unicode attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14715, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14715 NETBIOS SMB spoolss EnumJobs response WriteAndX attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14716, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14716 NETBIOS SMB spoolss EnumJobs response WriteAndX unicode attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14717, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14717 NETBIOS SMB spoolss EnumJobs response WriteAndX unicode little endian andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14718, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14718 NETBIOS SMB spoolss EnumJobs response unicode little endian andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14719, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14719 NETBIOS SMB spoolss EnumJobs response little endian andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14720, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14720 NETBIOS SMB spoolss EnumJobs response WriteAndX little endian andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14721, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14721 NETBIOS SMB spoolss EnumJobs response andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14722, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14722 NETBIOS SMB spoolss EnumJobs response unicode andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14723, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14723 NETBIOS SMB spoolss EnumJobs response WriteAndX andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx protocol-command-decode 2008-1446 tcp $HOME_NET [139,445] -> $EXTERNAL_NET any gid:3; classtype:protocol-command-decode; flowbits:isset,dce.spoolss.4.call; metadata: engine shared, soid 3|14724, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14724 NETBIOS SMB spoolss EnumJobs response WriteAndX unicode andx attempt www.microsoft.com/technet/security/Bulletin/MS08-062.mspx attempted-admin 2008-3479 tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|14725, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14725 NETBIOS DCERPC NCACN-IP-TCP mqqm QMGetRemoteQueueName overflow attempt www.microsoft.com/technet/security/bulletin/ms08-065.mspx attempted-admin 2008-3479 udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|14726, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14726 NETBIOS DCERPC NCADG-IP-UDP mqqm QMGetRemoteQueueName overflow attempt www.microsoft.com/technet/security/bulletin/ms08-065.mspx protocol-command-decode 2008-3466 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|14737, service dcerpc, policy balanced-ips drop, policy security-ips drop; 14737 NETBIOS DCERPC NCACN-IP-TCP host-integration bind attempt www.microsoft.com/technet/security/Bulletin/MS08-059.mspx 31783 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FFB6CC68-702D-4FE2-A8E7-4DE23835F0D2\s*}?\s*(?P=q1)(\s|>)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14744 WEB-ACTIVEX Hummingbird HostExplorer ActiveX clsid access 31783 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|F|00|B|00|6|00|C|00|C|00|6|00|8|00|-|00|7|00|0|00|2|00|D|00|-|00|4|00|F|00|E|00|2|00|-|00|A|00|8|00|E|00|7|00|-|00|4|00|D|00|E|00|2|00|3|00|8|00|3|00|5|00|F|00|0|00|D|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00F\x00B\x006\x00C\x00C\x006\x008\x00-\x007\x000\x002\x00D\x00-\x004\x00F\x00E\x002\x00-\x00A\x008\x00E\x007\x00-\x004\x00D\x00E\x002\x003\x008\x003\x005\x00F\x000\x00D\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14745 WEB-ACTIVEX Hummingbird HostExplorer ActiveX clsid unicode access 31490 attempted-user 2008-4472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A662DA7E-CCB7-4743-B71A-D817F6D575DF\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SaveAs)|<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A662DA7E-CCB7-4743-B71A-D817F6D575DF\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveAs))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14746 WEB-ACTIVEX Autodesk DWF Viewer ActiveX clsid access 31490 attempted-user 2008-4472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|6|00|6|00|2|00|D|00|A|00|7|00|E|00|-|00|C|00|C|00|B|00|7|00|-|00|4|00|7|00|4|00|3|00|-|00|B|00|7|00|1|00|A|00|-|00|D|00|8|00|1|00|7|00|F|00|6|00|D|00|5|00|7|00|5|00|D|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q5>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x006\x006\x002\x00D\x00A\x007\x00E\x00-\x00C\x00C\x00B\x007\x00-\x004\x007\x004\x003\x00-\x00B\x007\x001\x00A\x00-\x00D\x008\x001\x007\x00F\x006\x00D\x005\x007\x005\x00D\x00F\x00(}\x00)?(?P=q5)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14747 WEB-ACTIVEX Autodesk DWF Viewer ActiveX clsid unicode access 31490 attempted-user 2008-4472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"89EC7921-729B-4116-A819-DF86A4A5776B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ApplyPatch)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|\x26\x23039\x3b|)\s*clsid\s*\x3a\s*{?\s*89EC7921-729B-4116-A819-DF86A4A5776B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|\x27|\x26\x23039\x3b|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ApplyPatch))\s*\(/Osi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14748 WEB-ACTIVEX Autodesk LiveUpdate ActiveX clsid access 31490 attempted-user 2008-4472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|9|00|E|00|C|00|7|00|9|00|2|00|1|00|-|00|7|00|2|00|9|00|B|00|-|00|4|00|1|00|1|00|6|00|-|00|A|00|8|00|1|00|9|00|-|00|D|00|F|00|8|00|6|00|A|00|4|00|A|00|5|00|7|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x009\x00E\x00C\x007\x009\x002\x001\x00-\x007\x002\x009\x00B\x00-\x004\x001\x001\x006\x00-\x00A\x008\x001\x009\x00-\x00D\x00F\x008\x006\x00A\x004\x00A\x005\x007\x007\x006\x00B\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14749 WEB-ACTIVEX Autodesk LiveUpdate ActiveX clsid unicode access 31490 attempted-user 2008-4472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LiveUpdate.UpdateEngine"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LiveUpdate\.UpdateEngine\x22|\x27LiveUpdate\.UpdateEngine\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ApplyPatch\s*|.*(?P=v)\s*\.\s*ApplyPatch\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveUpdate\.UpdateEngine\x22|\x27LiveUpdate\.UpdateEngine\x27)\s*\)(\s*\.\s*ApplyPatch\s*|.*(?P=n)\s*\.\s*ApplyPatch\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14750 WEB-ACTIVEX Autodesk LiveUpdate ActiveX function call access 31490 attempted-user 2008-4472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|i|00|v|00|e|00|U|00|p|00|d|00|a|00|t|00|e|00|.|00|U|00|p|00|d|00|a|00|t|00|e|00|E|00|n|00|g|00|i|00|n|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)L\x00i\x00v\x00e\x00U\x00p\x00d\x00a\x00t\x00e\x00.\x00U\x00p\x00d\x00a\x00t\x00e\x00E\x00n\x00g\x00i\x00n\x00e\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q10>\x22|\x27|)L\x00i\x00v\x00e\x00U\x00p\x00d\x00a\x00t\x00e\x00.\x00U\x00p\x00d\x00a\x00t\x00e\x00E\x00n\x00g\x00i\x00n\x00e\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14751 WEB-ACTIVEX Autodesk LiveUpdate ActiveX function call unicode access 31435 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(CanUninstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(CanUninstall))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14752 WEB-ACTIVEX Novell ZENworks Desktop Management ActiveX clsid access 31435 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|F|00|5|00|1|00|7|00|9|00|9|00|4|00|-|00|A|00|6|00|F|00|A|00|-|00|4|00|F|00|3|00|9|00|-|00|B|00|D|00|4|00|B|00|-|00|E|00|C|00|2|00|D|00|F|00|0|00|0|00|A|00|E|00|E|00|F|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q13>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00F\x005\x001\x007\x009\x009\x004\x00-\x00A\x006\x00F\x00A\x00-\x004\x00F\x003\x009\x00-\x00B\x00D\x004\x00B\x00-\x00E\x00C\x002\x00D\x00F\x000\x000\x00A\x00E\x00E\x00F\x001\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14753 WEB-ACTIVEX Novell ZENworks Desktop Management ActiveX clsid unicode access 31435 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AxNalServer.CAxNalWebInterface"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22AxNalServer\.CAxNalWebInterface\x22|\x27AxNalServer\.CAxNalWebInterface\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CanUninstall\s*|.*(?P=v)\s*\.\s*CanUninstall\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AxNalServer\.CAxNalWebInterface\x22|\x27AxNalServer\.CAxNalWebInterface\x27)\s*\)(\s*\.\s*CanUninstall\s*|.*(?P=n)\s*\.\s*CanUninstall\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14754 WEB-ACTIVEX Novell ZENworks Desktop Management ActiveX function call access 31435 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|x|00|N|00|a|00|l|00|S|00|e|00|r|00|v|00|e|00|r|00|.|00|C|00|A|00|x|00|N|00|a|00|l|00|W|00|e|00|b|00|I|00|n|00|t|00|e|00|r|00|f|00|a|00|c|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)A\x00x\x00N\x00a\x00l\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00C\x00A\x00x\x00N\x00a\x00l\x00W\x00e\x00b\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q15>\x22|\x27|)A\x00x\x00N\x00a\x00l\x00S\x00e\x00r\x00v\x00e\x00r\x00.\x00C\x00A\x00x\x00N\x00a\x00l\x00W\x00e\x00b\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14755 WEB-ACTIVEX Novell ZENworks Desktop Management ActiveX function call unicode access 31604 attempted-user 2008-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3f0eecce-e138-11d1-8712-0060083d83f5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q21>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3f0eecce-e138-11d1-8712-0060083d83f5\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(url|toolbar|enableZoomPastMax)|<object\s*[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3f0eecce-e138-11d1-8712-0060083d83f5\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\s*\.\s*(url|toolbar|enableZoomPastMax))\s*=/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14760 WEB-ACTIVEX iseemedia LPViewer ActiveX clsid access 31604 attempted-user 2008-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|f|00|0|00|e|00|e|00|c|00|c|00|e|00|-|00|e|00|1|00|3|00|8|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|7|00|1|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|3|00|d|00|8|00|3|00|f|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q23>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00f\x000\x00e\x00e\x00c\x00c\x00e\x00-\x00e\x001\x003\x008\x00-\x001\x001\x00d\x001\x00-\x008\x007\x001\x002\x00-\x000\x000\x006\x000\x000\x008\x003\x00d\x008\x003\x00f\x005\x00(}\x00)?(?P=q23)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14761 WEB-ACTIVEX iseemedia LPViewer ActiveX clsid unicode access 31604 attempted-user 2008-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LPViewer.LPViewer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LPViewer\.LPViewer\x22|\x27LPViewer\.LPViewer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(url|toolbar|enableZoomPastMax)\s*|.*(?P=v)\s*\.\s*(url|toolbar|enableZoomPastMax)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LPViewer\.LPViewer\x22|\x27LPViewer\.LPViewer\x27)\s*\)(\s*\.\s*(url|toolbar|enableZoomPastMax)\s*|.*(?P=n)\s*\.\s*(url|toolbar|enableZoomPastMax))\s*=/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14762 WEB-ACTIVEX iseemedia LPViewer ActiveX function call access 31604 attempted-user 2008-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|P|00|V|00|i|00|e|00|w|00|e|00|r|00|.|00|L|00|P|00|V|00|i|00|e|00|w|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q24>\x22|\x27|)L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q24)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q25>\x22|\x27|)L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00L\x00P\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q25)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14763 WEB-ACTIVEX iseemedia LPViewer ActiveX function call unicode access attempted-admin 2008-4250 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|14782, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 14782 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt www.microsoft.com/technet/security/Bulletin/MS08-067.mspx attempted-admin 2008-4250 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|14783, service netbios-dgm, policy balanced-ips drop, policy security-ips drop; 14783 NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrpPathCanonicalize path canonicalization stack overflow attempt www.microsoft.com/technet/security/Bulletin/MS08-067.mspx attempted-admin 2008-4250 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|C8|O2Kp|16 D3 01 12|xZG|BF|n|E1 88|"; within:16; distance:22; pcre:"/^.{28}(\x00\x1f|\x00\x20)/sR"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{2}/sR"; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align; pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 14896 NETBIOS-DG SMB v4 srvsvc NetrpPathCononicalize unicode path cononicalization stack overflow attempt www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 26950 attempted-user 2007-6506 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HPRulesEngine.ContentCollection"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22HPRulesEngine\.ContentCollection\x22|\x27HPRulesEngine\.ContentCollection\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveToFile|LoadFromFile)\s*|.*(?P=v)\s*\.\s*(SaveToFile|LoadFromFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22HPRulesEngine\.ContentCollection\x22|\x27HPRulesEngine\.ContentCollection\x27)\s*\)(\s*\.\s*(SaveToFile|LoadFromFile)\s*|.*(?P=n)\s*\.\s*(SaveToFile|LoadFromFile)\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14897 WEB-ACTIVEX HP Software Update RulesEngine.dll ActiveX function call access 26950 attempted-user 2007-6506 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"H|00|P|00|R|00|u|00|l|00|e|00|s|00|E|00|n|00|g|00|i|00|n|00|e|00|.|00|C|00|o|00|n|00|t|00|e|00|n|00|t|00|C|00|o|00|l|00|l|00|e|00|c|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)H\x00P\x00R\x00u\x00l\x00e\x00s\x00E\x00n\x00g\x00i\x00n\x00e\x00.\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00C\x00o\x00l\x00l\x00e\x00c\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)H\x00P\x00R\x00u\x00l\x00e\x00s\x00E\x00n\x00g\x00i\x00n\x00e\x00.\x00C\x00o\x00n\x00t\x00e\x00n\x00t\x00C\x00o\x00l\x00l\x00e\x00c\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14898 WEB-ACTIVEX HP Software Update RulesEngine.dll ActiveX function call unicode access 24198 attempted-admin 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_test:4,>,16777215,24,relative,dce; pcre:"/^.{16}(([\x01\x02\x03\x04\xC8]\x00|\x2C\x01)\x00{2}|\x00{2}(\x00[\x01\x02\x03\x04]|\x01\x2C))/sR"; content:"|05 00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 14900 NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt 24198 attempted-admin 2007-2446 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_test:4,>,16777215,24,relative,dce; pcre:"/^.{16}(([\x01\x02\x03\x04\xC8]\x00|\x2C\x01)\x00{2}|\x00{2}(\x00[\x01\x02\x03\x04]|\x01\x2C))/sR"; content:"|04 00|"; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 14988 NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt 31984 attempted-user 2008-4919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(savePageAsBitmap)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(savePageAsBitmap))\s*\(/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14993 WEB-ACTIVEX Visagesoft eXPert PDF Viewer ActiveX clsid access 31984 attempted-user 2008-4919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|D|00|F|00|3|00|E|00|9|00|D|00|2|00|-|00|5|00|F|00|7|00|A|00|-|00|4|00|F|00|4|00|A|00|-|00|A|00|9|00|1|00|4|00|-|00|7|00|4|00|9|00|8|00|C|00|8|00|6|00|2|00|E|00|A|00|6|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00D\x00F\x003\x00E\x009\x00D\x002\x00-\x005\x00F\x007\x00A\x00-\x004\x00F\x004\x00A\x00-\x00A\x009\x001\x004\x00-\x007\x004\x009\x008\x00C\x008\x006\x002\x00E\x00A\x006\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14994 WEB-ACTIVEX Visagesoft eXPert PDF Viewer ActiveX clsid unicode access 31984 attempted-user 2008-4919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VSPDFEditorX.VSPDFEdit"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VSPDFEditorX\.VSPDFEdit(\.\d)?\x22|\x27VSPDFEditorX\.VSPDFEdit(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*savePageAsBitmap\s*|.*(?P=v)\s*\.\s*savePageAsBitmap\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSPDFEditorX\.VSPDFEdit(\.\d)?\x22|\x27VSPDFEditorX\.VSPDFEdit(\.\d)?\x27)\s*\)(\s*\.\s*savePageAsBitmap\s*|.*(?P=n)\s*\.\s*savePageAsBitmap\s*)\s*\(/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14995 WEB-ACTIVEX Visagesoft eXPert PDF Viewer ActiveX function call access 31984 attempted-user 2008-4919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|S|00|P|00|D|00|F|00|E|00|d|00|i|00|t|00|o|00|r|00|X|00|.|00|V|00|S|00|P|00|D|00|F|00|E|00|d|00|i|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00o\x00r\x00X\x00.\x00V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00o\x00r\x00X\x00.\x00V\x00S\x00P\x00D\x00F\x00E\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14996 WEB-ACTIVEX Visagesoft eXPert PDF Viewer ActiveX function call unicode access 31996 attempted-user 2008-4800 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7233D6F8-AD31-440F-BAF0-9E7A292A53DA\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(GetEntryPointForThread)|<object\s*[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7233D6F8-AD31-440F-BAF0-9E7A292A53DA\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(GetEntryPointForThread))\s*\(/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14999 WEB-ACTIVEX Microsoft Debug Diagnostic Tool ActiveX clsid access 31996 attempted-user 2008-4800 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|2|00|3|00|3|00|D|00|6|00|F|00|8|00|-|00|A|00|D|00|3|00|1|00|-|00|4|00|4|00|0|00|F|00|-|00|B|00|A|00|F|00|0|00|-|00|9|00|E|00|7|00|A|00|2|00|9|00|2|00|A|00|5|00|3|00|D|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q11>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x002\x003\x003\x00D\x006\x00F\x008\x00-\x00A\x00D\x003\x001\x00-\x004\x004\x000\x00F\x00-\x00B\x00A\x00F\x000\x00-\x009\x00E\x007\x00A\x002\x009\x002\x00A\x005\x003\x00D\x00A\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15000 WEB-ACTIVEX Microsoft Debug Diagnostic Tool ActiveX clsid unicode access 31996 attempted-user 2008-4800 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CrashHangExt.Utils"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CrashHangExt\.Utils(\.\d)?\x22|\x27CrashHangExt\.Utils(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetEntryPointForThread\s*|.*(?P=v)\s*\.\s*GetEntryPointForThread\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CrashHangExt\.Utils(\.\d)?\x22|\x27CrashHangExt\.Utils(\.\d)?\x27)\s*\)(\s*\.\s*GetEntryPointForThread\s*|.*(?P=n)\s*\.\s*GetEntryPointForThread\s*)\s*\(/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15001 WEB-ACTIVEX Microsoft Debug Diagnostic Tool ActiveX function call access 31996 attempted-user 2008-4800 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|r|00|a|00|s|00|h|00|H|00|a|00|n|00|g|00|E|00|x|00|t|00|.|00|U|00|t|00|i|00|l|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q12>\x22|\x27|)C\x00r\x00a\x00s\x00h\x00H\x00a\x00n\x00g\x00E\x00x\x00t\x00.\x00U\x00t\x00i\x00l\x00s\x00(\.\x00\d\x00)?(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q13>\x22|\x27|)C\x00r\x00a\x00s\x00h\x00H\x00a\x00n\x00g\x00E\x00x\x00t\x00.\x00U\x00t\x00i\x00l\x00s\x00(\.\x00\d\x00)?(?P=q13)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15002 WEB-ACTIVEX Microsoft Debug Diagnostic Tool ActiveX function call unicode access 32073 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3352B5B9-82E8-4FFD-9EB1-1A3E60056904\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(WriteFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3352B5B9-82E8-4FFD-9EB1-1A3E60056904\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(WriteFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15003 WEB-ACTIVEX Chilkat Crypt 2 ActiveX clsid access 32073 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|3|00|5|00|2|00|B|00|5|00|B|00|9|00|-|00|8|00|2|00|E|00|8|00|-|00|4|00|F|00|F|00|D|00|-|00|9|00|E|00|B|00|1|00|-|00|1|00|A|00|3|00|E|00|6|00|0|00|0|00|5|00|6|00|9|00|0|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q16>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x003\x005\x002\x00B\x005\x00B\x009\x00-\x008\x002\x00E\x008\x00-\x004\x00F\x00F\x00D\x00-\x009\x00E\x00B\x001\x00-\x001\x00A\x003\x00E\x006\x000\x000\x005\x006\x009\x000\x004\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15004 WEB-ACTIVEX Chilkat Crypt 2 ActiveX clsid unicode access 32073 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ChilkatCrypt2.ChilkatCrypt2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x22|\x27ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*WriteFile\s*|.*(?P=v)\s*\.\s*WriteFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x22|\x27ChilkatCrypt2\.ChilkatCrypt2(\.\d)?\x27)\s*\)(\s*\.\s*WriteFile\s*|.*(?P=n)\s*\.\s*WriteFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15005 WEB-ACTIVEX Chilkat Crypt 2 ActiveX function call access 32073 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|h|00|i|00|l|00|k|00|a|00|t|00|C|00|r|00|y|00|p|00|t|00|2|00|.|00|C|00|h|00|i|00|l|00|k|00|a|00|t|00|C|00|r|00|y|00|p|00|t|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q17>\x22|\x27|)C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00(\.\x00\d\x00)?(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q18>\x22|\x27|)C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00.\x00C\x00h\x00i\x00l\x00k\x00a\x00t\x00C\x00r\x00y\x00p\x00t\x002\x00(\.\x00\d\x00)?(?P=q18)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15006 WEB-ACTIVEX Chilkat Crypt 2 ActiveX function call unicode access attempted-user 2000-0834 tcp any [139,445] -> any any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15009, policy balanced-ips drop, policy security-ips drop, service netbios-ns; 15009 NETBIOS possible SMB replay attempt - overlapping encryption keys detected www.microsoft.com/technet/security/bulletin/MS10-012.mspx misc-attack 2008-4033 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:misc-attack; metadata: engine shared, soid 3|15011, service http, policy security-ips drop; 15011 WEB-CLIENT Microsoft XML core services cross-domain information disclosure attempt www.microsoft.com/technet/security/bulletin/MS08-069.mspx attempted-admin 2008-4250 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15015, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 15015 NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrUseAdd/NetrUseGetInfo/NetrUseDel overflow attempt www.microsoft.com/technet/security/bulletin/MS08-067.mspx 32186 attempted-user 2008-4387 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B01952B0-AF66-11D1-B10D-0060086F6D97"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B01952B0-AF66-11D1-B10D-0060086F6D97\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15069 WEB-ACTIVEX SAP AG SAPgui mdrmsap ActiveX clsid access 32186 attempted-user 2008-4387 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|0|00|1|00|9|00|5|00|2|00|B|00|0|00|-|00|A|00|F|00|6|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|1|00|0|00|D|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|6|00|F|00|6|00|D|00|9|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x001\x009\x005\x002\x00B\x000\x00-\x00A\x00F\x006\x006\x00-\x001\x001\x00D\x001\x00-\x00B\x001\x000\x00D\x00-\x000\x000\x006\x000\x000\x008\x006\x00F\x006\x00D\x009\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15070 WEB-ACTIVEX SAP AG SAPgui mdrmsap ActiveX clsid unicode access attempted-user 2008-4255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15084, service http, policy balanced-ips drop, policy security-ips drop; 15084 WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15086, service http, policy balanced-ips drop, policy security-ips drop; 15086 WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2000-0834 tcp any $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15124, policy balanced-ips drop, policy security-ips drop, service http; 15124 NETBIOS Web-based NTLM replay attack attempt www.microsoft.com/technet/security/bulletin/MS10-012.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15127 NETBIOS SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15128 NETBIOS SMB sp_replwritetovarbin vulnerable function WriteAndX attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15129 NETBIOS SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15130 NETBIOS SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15131 NETBIOS SMB sp_replwritetovarbin vulnerable function andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15132 NETBIOS SMB sp_replwritetovarbin vulnerable function attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15133 NETBIOS SMB sp_replwritetovarbin vulnerable function unicode andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.sql.query; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 15134 NETBIOS SMB sp_replwritetovarbin vulnerable function unicode attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15135 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function WriteAndX andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15136 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function WriteAndX attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15137 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function WriteAndX unicode andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15138 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function WriteAndX unicode attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15139 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"sp_replwritetovarbin"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15140 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15141 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function unicode andx attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 udp $EXTERNAL_NET any -> $HOME_NET 138 flowbits:isset,smb.tree.create.sql.query; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; distance:0; metadata:policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 15142 NETBIOS-DG SMB sp_replwritetovarbin vulnerable function unicode attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx attempted-user 2004-1050 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<IFRAME "; nocase; content:"file|3A|//"; distance:0; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)file\x3a\x2f\x2f[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15147 WEB-CLIENT Microsoft IE malformed iframe buffer overflow attempt 10726 attempted-dos 2004-0728 tcp $HOME_NET any -> $HOME_NET 2702 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|15148, policy balanced-ips drop, policy security-ips drop; 15148 DOS Microsoft SMS remote control client message length denial of service attempt 32901 attempted-user 2008-5691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D8089245-3211-40F6-819B-9E5E92CD61A2\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15173 WEB-ACTIVEX Phoenician Casino ActiveX clsid access 32901 attempted-user 2008-5691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|8|00|0|00|8|00|9|00|2|00|4|00|5|00|-|00|3|00|2|00|1|00|1|00|-|00|4|00|0|00|F|00|6|00|-|00|8|00|1|00|9|00|B|00|-|00|9|00|E|00|5|00|E|00|9|00|2|00|C|00|D|00|6|00|1|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x008\x000\x008\x009\x002\x004\x005\x00-\x003\x002\x001\x001\x00-\x004\x000\x00F\x006\x00-\x008\x001\x009\x00B\x00-\x009\x00E\x005\x00E\x009\x002\x00C\x00D\x006\x001\x00A\x002\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15174 WEB-ACTIVEX Phoenician Casino ActiveX clsid unicode access 32901 attempted-user 2008-5691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FlashAX.FlashXControl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22FlashAX\.FlashXControl(\.\d)?\x22|\x27FlashAX\.FlashXControl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FlashAX\.FlashXControl(\.\d)?\x22|\x27FlashAX\.FlashXControl(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15175 WEB-ACTIVEX Phoenician Casino ActiveX function call access 32901 attempted-user 2008-5691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|l|00|a|00|s|00|h|00|A|00|X|00|.|00|F|00|l|00|a|00|s|00|h|00|X|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)F\x00l\x00a\x00s\x00h\x00A\x00X\x00.\x00F\x00l\x00a\x00s\x00h\x00X\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)F\x00l\x00a\x00s\x00h\x00A\x00X\x00.\x00F\x00l\x00a\x00s\x00h\x00X\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15176 WEB-ACTIVEX Phoenician Casino ActiveX function call unicode access 32965 attempted-user 2008-2435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"74D05D43-3236-11D4-BDCD-00C04F9A3B61"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74D05D43-3236-11D4-BDCD-00C04F9A3B61\s*}?\s*(?P=q5)(\s|>).*(?P=id1)\s*\.\s*(notifyOnLoadNative)|<object\s*[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74D05D43-3236-11D4-BDCD-00C04F9A3B61\s*}?\s*(?P=q6)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(notifyOnLoadNative))\s*\(/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15177 WEB-ACTIVEX Trend Micro HouseCall ActiveX clsid access 32965 attempted-user 2008-2435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|4|00|D|00|0|00|5|00|D|00|4|00|3|00|-|00|3|00|2|00|3|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|B|00|D|00|C|00|D|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|9|00|A|00|3|00|B|00|6|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q7>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x004\x00D\x000\x005\x00D\x004\x003\x00-\x003\x002\x003\x006\x00-\x001\x001\x00D\x004\x00-\x00B\x00D\x00C\x00D\x00-\x000\x000\x00C\x000\x004\x00F\x009\x00A\x003\x00B\x006\x001\x00(}\x00)?(?P=q7)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15178 WEB-ACTIVEX Trend Micro HouseCall ActiveX clsid unicode access 32965 attempted-user 2008-2435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"XSCAN.XscanCtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22XSCAN\.XscanCtrl(\.\d)?\x22|\x27XSCAN\.XscanCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*notifyOnLoadNative\s*|.*(?P=v)\s*\.\s*notifyOnLoadNative\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22XSCAN\.XscanCtrl(\.\d)?\x22|\x27XSCAN\.XscanCtrl(\.\d)?\x27)\s*\)(\s*\.\s*notifyOnLoadNative\s*|.*(?P=n)\s*\.\s*notifyOnLoadNative\s*)\s*\(/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15179 WEB-ACTIVEX Trend Micro HouseCall ActiveX function call access 32965 attempted-user 2008-2435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"X|00|S|00|C|00|A|00|N|00|.|00|X|00|s|00|c|00|a|00|n|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q8>\x22|\x27|)X\x00S\x00C\x00A\x00N\x00.\x00X\x00s\x00c\x00a\x00n\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q8)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q9>\x22|\x27|)X\x00S\x00C\x00A\x00N\x00.\x00X\x00s\x00c\x00a\x00n\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q9)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15180 WEB-ACTIVEX Trend Micro HouseCall ActiveX function call unicode access 33053 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0297D24A-F425-47EE-9F3B-A459BCE593E3\s*}?\s*(?P=q10)(\s|>).*(?P=id1)\s*\.\s*(Get)|<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0297D24A-F425-47EE-9F3B-A459BCE593E3\s*}?\s*(?P=q11)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(Get))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15181 WEB-ACTIVEX SaschArt SasCam Webcam Server ActiveX clsid access 33053 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|2|00|9|00|7|00|D|00|2|00|4|00|A|00|-|00|F|00|4|00|2|00|5|00|-|00|4|00|7|00|E|00|E|00|-|00|9|00|F|00|3|00|B|00|-|00|A|00|4|00|5|00|9|00|B|00|C|00|E|00|5|00|9|00|3|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q12>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x002\x009\x007\x00D\x002\x004\x00A\x00-\x00F\x004\x002\x005\x00-\x004\x007\x00E\x00E\x00-\x009\x00F\x003\x00B\x00-\x00A\x004\x005\x009\x00B\x00C\x00E\x005\x009\x003\x00E\x003\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15182 WEB-ACTIVEX SaschArt SasCam Webcam Server ActiveX clsid unicode access 33148 attempted-user 2008-4827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2315B059-EDD7-4C66-933C-ECFF5B9DD593"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2315B059-EDD7-4C66-933C-ECFF5B9DD593\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddTab)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2315B059-EDD7-4C66-933C-ECFF5B9DD593\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddTab))\s*\(/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15192 WEB-ACTIVEX SizerOne ActiveX clsid access 33148 attempted-user 2008-4827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|3|00|1|00|5|00|B|00|0|00|5|00|9|00|-|00|E|00|D|00|D|00|7|00|-|00|4|00|C|00|6|00|6|00|-|00|9|00|3|00|3|00|C|00|-|00|E|00|C|00|F|00|F|00|5|00|B|00|9|00|D|00|D|00|5|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x003\x001\x005\x00B\x000\x005\x009\x00-\x00E\x00D\x00D\x007\x00-\x004\x00C\x006\x006\x00-\x009\x003\x003\x00C\x00-\x00E\x00C\x00F\x00F\x005\x00B\x009\x00D\x00D\x005\x009\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15193 WEB-ACTIVEX SizerOne ActiveX clsid unicode access 33148 attempted-user 2008-4827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TabOne.TabOne"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22TabOne\.TabOne(\.\d)?\x22|\x27TabOne\.TabOne(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddTab\s*|.*(?P=v)\s*\.\s*AddTab\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TabOne\.TabOne(\.\d)?\x22|\x27TabOne\.TabOne(\.\d)?\x27)\s*\)(\s*\.\s*AddTab\s*|.*(?P=n)\s*\.\s*AddTab\s*)\s*\(/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15194 WEB-ACTIVEX SizerOne ActiveX function call access 33148 attempted-user 2008-4827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"T|00|a|00|b|00|O|00|n|00|e|00|.|00|T|00|a|00|b|00|O|00|n|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)T\x00a\x00b\x00O\x00n\x00e\x00.\x00T\x00a\x00b\x00O\x00n\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)T\x00a\x00b\x00O\x00n\x00e\x00.\x00T\x00a\x00b\x00O\x00n\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15195 WEB-ACTIVEX SizerOne ActiveX function call unicode access protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15196, policy security-ips drop; 15196 NETBIOS SMB NT Trans NT CREATE unicode param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15197, policy security-ips drop; 15197 NETBIOS-DG SMB NT Trans NT CREATE param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15198, policy security-ips drop; 15198 NETBIOS-DG SMB NT Trans NT CREATE unicode param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15199, policy security-ips drop; 15199 NETBIOS SMB NT Trans NT CREATE param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15200, policy security-ips drop; 15200 NETBIOS SMB NT Trans NT CREATE unicode andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15201, policy security-ips drop; 15201 NETBIOS-DG SMB NT Trans NT CREATE andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15202, policy security-ips drop; 15202 NETBIOS-DG SMB NT Trans NT CREATE unicode andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15203, policy security-ips drop; 15203 NETBIOS SMB NT Trans NT CREATE andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15204, policy security-ips drop; 15204 NETBIOS-DG SMB NT Trans NT CREATE unicode max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15205, policy security-ips drop; 15205 NETBIOS SMB NT Trans NT CREATE unicode max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15206, policy security-ips drop; 15206 NETBIOS SMB NT Trans NT CREATE max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15207, policy security-ips drop; 15207 NETBIOS-DG SMB NT Trans NT CREATE max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15208, policy security-ips drop; 15208 NETBIOS-DG SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15209, policy security-ips drop; 15209 NETBIOS SMB NT Trans NT CREATE unicode andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15210, policy security-ips drop; 15210 NETBIOS SMB NT Trans NT CREATE andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4834 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15211, policy security-ips drop; 15211 NETBIOS-DG SMB NT Trans NT CREATE andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15212, policy security-ips drop; 15212 NETBIOS-DG SMB Trans2 OPEN2 max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15213, policy security-ips drop; 15213 NETBIOS SMB Trans2 OPEN2 unicode max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15214, policy security-ips drop; 15214 NETBIOS SMB Trans2 OPEN2 max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15215, policy security-ips drop; 15215 NETBIOS-DG SMB Trans2 OPEN2 unicode max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15216, policy security-ips drop; 15216 NETBIOS-DG SMB Trans2 OPEN2 andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15217, policy security-ips drop; 15217 NETBIOS SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15218, policy security-ips drop; 15218 NETBIOS SMB Trans2 OPEN2 andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15219, policy security-ips drop; 15219 NETBIOS-DG SMB Trans2 OPEN2 unicode andx max_param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15220, policy security-ips drop; 15220 NETBIOS SMB Trans2 OPEN2 unicode param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15221, policy security-ips drop; 15221 NETBIOS SMB Trans2 OPEN2 param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15222, policy security-ips drop; 15222 NETBIOS-DG SMB Trans2 OPEN2 param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15223, policy security-ips drop; 15223 NETBIOS-DG SMB Trans2 OPEN2 unicode param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15224, policy security-ips drop; 15224 NETBIOS SMB Trans2 OPEN2 unicode andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15225, policy security-ips drop; 15225 NETBIOS SMB Trans2 OPEN2 andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15226, policy security-ips drop; 15226 NETBIOS-DG SMB Trans2 OPEN2 andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx protocol-command-decode 2008-4835 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15227, policy security-ips drop; 15227 NETBIOS-DG SMB Trans2 OPEN2 unicode andx param_count underflow attempt www.microsoft.com/technet/security/bulletin/MS09-001.mspx 33233 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00E7C7F8-71E2-498A-AB28-A3D72FC74485\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00E7C7F8-71E2-498A-AB28-A3D72FC74485\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15228 WEB-ACTIVEX Ciansoft PDFBuilderX ActiveX clsid access 33233 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|E|00|7|00|C|00|7|00|F|00|8|00|-|00|7|00|1|00|E|00|2|00|-|00|4|00|9|00|8|00|A|00|-|00|A|00|B|00|2|00|8|00|-|00|A|00|3|00|D|00|7|00|2|00|F|00|C|00|7|00|4|00|4|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x00E\x007\x00C\x007\x00F\x008\x00-\x007\x001\x00E\x002\x00-\x004\x009\x008\x00A\x00-\x00A\x00B\x002\x008\x00-\x00A\x003\x00D\x007\x002\x00F\x00C\x007\x004\x004\x008\x005\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15229 WEB-ACTIVEX Ciansoft PDFBuilderX ActiveX clsid unicode access 33272 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DD44C0EA-B2CF-31D1-8DD3-444553540000\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(DoSaveHTMLFile|DoSaveFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DD44C0EA-B2CF-31D1-8DD3-444553540000\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\.(DoSaveHTMLFile|DoSaveFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15232 WEB-ACTIVEX Easy Grid ActiveX clsid access 33272 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|D|00|4|00|4|00|C|00|0|00|E|00|A|00|-|00|B|00|2|00|C|00|F|00|-|00|3|00|1|00|D|00|1|00|-|00|8|00|D|00|D|00|3|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q29>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00D\x004\x004\x00C\x000\x00E\x00A\x00-\x00B\x002\x00C\x00F\x00-\x003\x001\x00D\x001\x00-\x008\x00D\x00D\x003\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x000\x000\x000\x000\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15233 WEB-ACTIVEX Easy Grid ActiveX clsid unicode access 33272 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EasyGrid.SGCtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22EasyGrid\.SGCtrl(\.\d)?\x22|\x27EasyGrid\.SGCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*|.*(?P=v)\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EasyGrid\.SGCtrl(\.\d)?\x22|\x27EasyGrid\.SGCtrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*|.*(?P=n)\s*\.\s*(DoSaveHTMLFile|DoSaveFile)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15234 WEB-ACTIVEX Easy Grid ActiveX function call access 33272 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|a|00|s|00|y|00|G|00|r|00|i|00|d|00|.|00|S|00|G|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00a\x00s\x00y\x00G\x00r\x00i\x00d\x00.\x00S\x00G\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00a\x00s\x00y\x00G\x00r\x00i\x00d\x00.\x00S\x00G\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15235 WEB-ACTIVEX Easy Grid ActiveX function call unicode access 33408 attempted-user 2008-5260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"917623D1-D8E5-11D2-BE8B-00104B06BDE3"; nocase; pcre:"/<object\s+[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*917623D1-D8E5-11D2-BE8B-00104B06BDE3\s*}?\s*(?P=q1)(\s|>)/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15243 WEB-ACTIVEX AXIS Camera ActiveX clsid access 33408 attempted-user 2008-5260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|1|00|7|00|6|00|2|00|3|00|D|00|1|00|-|00|D|00|8|00|E|00|5|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|E|00|8|00|B|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|0|00|6|00|B|00|D|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x007\x006\x002\x003\x00D\x001\x00-\x00D\x008\x00E\x005\x00-\x001\x001\x00D\x002\x00-\x00B\x00E\x008\x00B\x00-\x000\x000\x001\x000\x004\x00B\x000\x006\x00B\x00D\x00E\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15244 WEB-ACTIVEX AXIS Camera ActiveX clsid unicode access 33408 attempted-user 2008-5260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CamImage.CamImage"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22CamImage\.CamImage(\.\d)?\x22|\x27CamImage\.CamImage(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*image_pan_tilt\s*|.*(?P=v)\s*\.\s*image_pan_tilt\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CamImage\.CamImage(\.\d)?\x22|\x27CamImage\.CamImage(\.\d)?\x27)\s*\)(\s*\.\s*image_pan_tilt\s*|.*(?P=n)\s*\.\s*image_pan_tilt)\s*=/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15245 WEB-ACTIVEX AXIS Camera ActiveX function call access 33408 attempted-user 2008-5260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|a|00|m|00|I|00|m|00|a|00|g|00|e|00|.|00|C|00|a|00|m|00|I|00|m|00|a|00|g|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00.\x00C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00.\x00C\x00a\x00m\x00I\x00m\x00a\x00g\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15246 WEB-ACTIVEX AXIS Camera ActiveX function call unicode access 33345 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15247 WEB-ACTIVEX JamDTA ActiveX clsid access 33345 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|B|00|8|00|F|00|9|00|D|00|C|00|9|00|-|00|A|00|9|00|9|00|C|00|-|00|4|00|0|00|A|00|D|00|-|00|B|00|E|00|4|00|0|00|-|00|8|00|8|00|D|00|D|00|E|00|9|00|2|00|B|00|A|00|C|00|4|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00B\x008\x00F\x009\x00D\x00C\x009\x00-\x00A\x009\x009\x00C\x00-\x004\x000\x00A\x00D\x00-\x00B\x00E\x004\x000\x00-\x008\x008\x00D\x00D\x00E\x009\x002\x00B\x00A\x00C\x004\x001\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15248 WEB-ACTIVEX JamDTA ActiveX clsid unicode access 33349 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(SaveMaskToFile|StartVideoSaving)|<object\s*[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveMaskToFile|StartVideoSaving))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15249 WEB-ACTIVEX SmartVMD ActiveX clsid access 33349 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|3|00|4|00|6|00|2|00|D|00|5|00|3|00|-|00|4|00|7|00|A|00|6|00|-|00|1|00|1|00|D|00|8|00|-|00|8|00|E|00|F|00|6|00|-|00|D|00|A|00|E|00|8|00|9|00|2|00|7|00|2|00|7|00|4|00|3|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q11>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x003\x004\x006\x002\x00D\x005\x003\x00-\x004\x007\x00A\x006\x00-\x001\x001\x00D\x008\x00-\x008\x00E\x00F\x006\x00-\x00D\x00A\x00E\x008\x009\x002\x007\x002\x007\x004\x003\x00C\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15250 WEB-ACTIVEX SmartVMD ActiveX clsid unicode access 33318 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67E66985-F81A-11D6-BC0F-F7B40157DC26\s*}?\s*(?P=q12)(\s|>).*(?P=id1)\s*\.\s*(SaveToBMP)|<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*67E66985-F81A-11D6-BC0F-F7B40157DC26\s*}?\s*(?P=q13)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(SaveToBMP))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15251 WEB-ACTIVEX MetaProducts MetaTreeX ActiveX clsid access 33318 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|E|00|6|00|6|00|9|00|8|00|5|00|-|00|F|00|8|00|1|00|A|00|-|00|1|00|1|00|D|00|6|00|-|00|B|00|C|00|0|00|F|00|-|00|F|00|7|00|B|00|4|00|0|00|1|00|5|00|7|00|D|00|C|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q14>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x007\x00E\x006\x006\x009\x008\x005\x00-\x00F\x008\x001\x00A\x00-\x001\x001\x00D\x006\x00-\x00B\x00C\x000\x00F\x00-\x00F\x007\x00B\x004\x000\x001\x005\x007\x00D\x00C\x002\x006\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15252 WEB-ACTIVEX MetaProducts MetaTreeX ActiveX clsid unicode access 33318 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SaveToBMP.MetaTreeX"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SaveToBMP\.MetaTreeX(\.\d)?\x22|\x27SaveToBMP\.MetaTreeX(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToBMP\s*|.*(?P=v)\s*\.\s*SaveToBMP\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SaveToBMP\.MetaTreeX(\.\d)?\x22|\x27SaveToBMP\.MetaTreeX(\.\d)?\x27)\s*\)(\s*\.\s*SaveToBMP\s*|.*(?P=n)\s*\.\s*SaveToBMP\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15253 WEB-ACTIVEX MetaProducts MetaTreeX ActiveX function call access 33318 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|a|00|v|00|e|00|T|00|o|00|B|00|M|00|P|00|.|00|M|00|e|00|t|00|a|00|T|00|r|00|e|00|e|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q15>\x22|\x27|)S\x00a\x00v\x00e\x00T\x00o\x00B\x00M\x00P\x00.\x00M\x00e\x00t\x00a\x00T\x00r\x00e\x00e\x00X\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q16>\x22|\x27|)S\x00a\x00v\x00e\x00T\x00o\x00B\x00M\x00P\x00.\x00M\x00e\x00t\x00a\x00T\x00r\x00e\x00e\x00X\x00(\.\x00\d\x00)?(?P=q16)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15254 WEB-ACTIVEX MetaProducts MetaTreeX ActiveX function call unicode access 33469 attempted-user 2007-0018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|C|00|T|00|A|00|u|00|d|00|i|00|o|00|F|00|i|00|l|00|e|00|2|00|.|00|A|00|u|00|d|00|i|00|o|00|F|00|i|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q30>\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q30)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q31>\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q31)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15265 WEB-ACTIVEX NCTAudioFile2 ActiveX function call unicode access www.kb.cert.org/vuls/id/292713 33451 attempted-user 2009-0298 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"14D09688-CFA7-11D5-995A-005004CE563B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*14D09688-CFA7-11D5-995A-005004CE563B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*14D09688-CFA7-11D5-995A-005004CE563B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15266 WEB-ACTIVEX MW6 Technologies Barcode ActiveX clsid access 33451 attempted-user 2009-0298 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|4|00|D|00|0|00|9|00|6|00|8|00|8|00|-|00|C|00|F|00|A|00|7|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|9|00|5|00|A|00|-|00|0|00|0|00|5|00|0|00|0|00|4|00|C|00|E|00|5|00|6|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x004\x00D\x000\x009\x006\x008\x008\x00-\x00C\x00F\x00A\x007\x00-\x001\x001\x00D\x005\x00-\x009\x009\x005\x00A\x00-\x000\x000\x005\x000\x000\x004\x00C\x00E\x005\x006\x003\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15267 WEB-ACTIVEX MW6 Technologies Barcode ActiveX clsid unicode access 33451 attempted-user 2009-0298 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Barcode.MW6Barcode"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Barcode\.MW6Barcode(\.\d)?\x22|\x27Barcode\.MW6Barcode(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)\s*|.*(?P=v)\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Barcode\.MW6Barcode(\.\d)?\x22|\x27Barcode\.MW6Barcode(\.\d)?\x27)\s*\)(\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF)\s*|.*(?P=n)\s*\.\s*(Supplement|SaveAsBMP|SaveAsWMF))\s*=/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15268 WEB-ACTIVEX MW6 Technologies Barcode ActiveX function call access 33451 attempted-user 2009-0298 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|a|00|r|00|c|00|o|00|d|00|e|00|.|00|M|00|W|00|6|00|B|00|a|00|r|00|c|00|o|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00.\x00M\x00W\x006\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)B\x00a\x00r\x00c\x00o\x00d\x00e\x00.\x00M\x00W\x006\x00B\x00a\x00r\x00c\x00o\x00d\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15269 WEB-ACTIVEX MW6 Technologies Barcode ActiveX function call unicode access attempted-user 2008-4926 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90D2A875-5024-4CCD-80AA-C8A353DB2B45\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveAsWMF|SaveAsBMP)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*90D2A875-5024-4CCD-80AA-C8A353DB2B45\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveAsWMF|SaveAsBMP))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15270 WEB-ACTIVEX MW6 Technologies PDF417 ActiveX clsid access attempted-user 2008-4926 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|0|00|D|00|2|00|A|00|8|00|7|00|5|00|-|00|5|00|0|00|2|00|4|00|-|00|4|00|C|00|C|00|D|00|-|00|8|00|0|00|A|00|A|00|-|00|C|00|8|00|A|00|3|00|5|00|3|00|D|00|B|00|2|00|B|00|4|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x000\x00D\x002\x00A\x008\x007\x005\x00-\x005\x000\x002\x004\x00-\x004\x00C\x00C\x00D\x00-\x008\x000\x00A\x00A\x00-\x00C\x008\x00A\x003\x005\x003\x00D\x00B\x002\x00B\x004\x005\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15271 WEB-ACTIVEX MW6 Technologies PDF417 ActiveX clsid unicode access attempted-user 2008-4926 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MW6PDF417.PDF417"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MW6PDF417\.PDF417(\.\d)?\x22|\x27MW6PDF417\.PDF417(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=v)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MW6PDF417\.PDF417(\.\d)?\x22|\x27MW6PDF417\.PDF417(\.\d)?\x27)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=n)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15272 WEB-ACTIVEX MW6 Technologies PDF417 ActiveX function call access attempted-user 2008-4926 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|W|00|6|00|P|00|D|00|F|00|4|00|1|00|7|00|.|00|P|00|D|00|F|00|4|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)M\x00W\x006\x00P\x00D\x00F\x004\x001\x007\x00.\x00P\x00D\x00F\x004\x001\x007\x00(\.\x00\d\x00)?(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q10>\x22|\x27|)M\x00W\x006\x00P\x00D\x00F\x004\x001\x007\x00.\x00P\x00D\x00F\x004\x001\x007\x00(\.\x00\d\x00)?(?P=q10)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15273 WEB-ACTIVEX MW6 Technologies PDF417 ActiveX function call unicode access attempted-user 2008-4925 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DE7DA0B5-7D7B-4CEA-8739-65CF600D511E\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(SaveAsWMF|SaveAsBMP)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DE7DA0B5-7D7B-4CEA-8739-65CF600D511E\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(SaveAsWMF|SaveAsBMP))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15274 WEB-ACTIVEX MW6 Technologies DataMatrix ActiveX clsid access attempted-user 2008-4925 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|E|00|7|00|D|00|A|00|0|00|B|00|5|00|-|00|7|00|D|00|7|00|B|00|-|00|4|00|C|00|E|00|A|00|-|00|8|00|7|00|3|00|9|00|-|00|6|00|5|00|C|00|F|00|6|00|0|00|0|00|D|00|5|00|1|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q13>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00E\x007\x00D\x00A\x000\x00B\x005\x00-\x007\x00D\x007\x00B\x00-\x004\x00C\x00E\x00A\x00-\x008\x007\x003\x009\x00-\x006\x005\x00C\x00F\x006\x000\x000\x00D\x005\x001\x001\x00E\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15275 WEB-ACTIVEX MW6 Technologies DataMatrix ActiveX clsid unicode access attempted-user 2008-4925 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DATAMATRIX.MW6DataMatrix"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22DATAMATRIX\.MW6DataMatrix(\.\d)?\x22|\x27DATAMATRIX\.MW6DataMatrix(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=v)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DATAMATRIX\.MW6DataMatrix(\.\d)?\x22|\x27DATAMATRIX\.MW6DataMatrix(\.\d)?\x27)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=n)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15276 WEB-ACTIVEX MW6 Technologies DataMatrix ActiveX function call access attempted-user 2008-4925 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|A|00|T|00|A|00|M|00|A|00|T|00|R|00|I|00|X|00|.|00|M|00|W|00|6|00|D|00|a|00|t|00|a|00|M|00|a|00|t|00|r|00|i|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)D\x00A\x00T\x00A\x00M\x00A\x00T\x00R\x00I\x00X\x00.\x00M\x00W\x006\x00D\x00a\x00t\x00a\x00M\x00a\x00t\x00r\x00i\x00x\x00(\.\x00\d\x00)?(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q15>\x22|\x27|)D\x00A\x00T\x00A\x00M\x00A\x00T\x00R\x00I\x00X\x00.\x00M\x00W\x006\x00D\x00a\x00t\x00a\x00M\x00a\x00t\x00r\x00i\x00x\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15277 WEB-ACTIVEX MW6 Technologies DataMatrix ActiveX function call unicode access attempted-user 2008-4923 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F359732D-D020-40ED-83FF-F381EFE36B54\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(SaveAsWMF|SaveAsBMP)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F359732D-D020-40ED-83FF-F381EFE36B54\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(SaveAsWMF|SaveAsBMP))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15278 WEB-ACTIVEX MW6 Technologies Aztec ActiveX clsid access attempted-user 2008-4923 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|3|00|5|00|9|00|7|00|3|00|2|00|D|00|-|00|D|00|0|00|2|00|0|00|-|00|4|00|0|00|E|00|D|00|-|00|8|00|3|00|F|00|F|00|-|00|F|00|3|00|8|00|1|00|E|00|F|00|E|00|3|00|6|00|B|00|5|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q18>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x003\x005\x009\x007\x003\x002\x00D\x00-\x00D\x000\x002\x000\x00-\x004\x000\x00E\x00D\x00-\x008\x003\x00F\x00F\x00-\x00F\x003\x008\x001\x00E\x00F\x00E\x003\x006\x00B\x005\x004\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15279 WEB-ACTIVEX MW6 Technologies Aztec ActiveX clsid unicode access attempted-user 2008-4923 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AZTEC.MW6Aztec"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22AZTEC\.MW6Aztec(\.\d)?\x22|\x27AZTEC\.MW6Aztec(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=v)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AZTEC\.MW6Aztec(\.\d)?\x22|\x27AZTEC\.MW6Aztec(\.\d)?\x27)\s*\)(\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*|.*(?P=n)\s*\.\s*(SaveAsWMF|SaveAsBMP)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15280 WEB-ACTIVEX MW6 Technologies Aztec ActiveX function call access attempted-user 2008-4923 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|Z|00|T|00|E|00|C|00|.|00|M|00|W|00|6|00|A|00|z|00|t|00|e|00|c|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q19>\x22|\x27|)A\x00Z\x00T\x00E\x00C\x00.\x00M\x00W\x006\x00A\x00z\x00t\x00e\x00c\x00(\.\x00\d\x00)?(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q20>\x22|\x27|)A\x00Z\x00T\x00E\x00C\x00.\x00M\x00W\x006\x00A\x00z\x00t\x00e\x00c\x00(\.\x00\d\x00)?(?P=q20)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15281 WEB-ACTIVEX MW6 Technologies Aztec ActiveX function call unicode access attempted-user 2008-0958 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"34A261F9-FC34-47F8-A35C-75FB73BB1358"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m15>\x22|\x27|)(?P<id1>.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P<q32>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*34A261F9-FC34-47F8-A35C-75FB73BB1358\s*}?\s*(?P=q32)(\s|>).*(?P=id1)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)|<object\s*[^>]*\s*classid\s*=\s*(?P<q33>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*34A261F9-FC34-47F8-A35C-75FB73BB1358\s*}?\s*(?P=q33)(\s|>)[^>]*\s*id\s*=\s*(?P<m16>\x22|\x27|)(?P<id2>.+?)(?P=m16)(\s|>).*(?P=id2)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15284 WEB-ACTIVEX NCTAudioGrabber2 ActiveX clsid access www.kb.cert.org/vuls/id/656593 attempted-user 2008-0958 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|4|00|A|00|2|00|6|00|1|00|F|00|9|00|-|00|F|00|C|00|3|00|4|00|-|00|4|00|7|00|F|00|8|00|-|00|A|00|3|00|5|00|C|00|-|00|7|00|5|00|F|00|B|00|7|00|3|00|B|00|B|00|1|00|3|00|5|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q34>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x004\x00A\x002\x006\x001\x00F\x009\x00-\x00F\x00C\x003\x004\x00-\x004\x007\x00F\x008\x00-\x00A\x003\x005\x00C\x00-\x007\x005\x00F\x00B\x007\x003\x00B\x00B\x001\x003\x005\x008\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15285 WEB-ACTIVEX NCTAudioGrabber2 ActiveX clsid unicode access www.kb.cert.org/vuls/id/656593 attempted-user 2008-0958 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NCTAudioGrabber2.AudioGrabber2"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x22|\x27NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)\s*|.*(?P=v)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x22|\x27NCTAudioGrabber2\.AudioGrabber2(\.\d)?\x27)\s*\)(\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript)\s*|.*(?P=n)\s*\.\s*(cddbServerAddress|cddbAgentName|cddbUserEmail|cddbCGIScript))\s*=/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15286 WEB-ACTIVEX NCTAudioGrabber2 ActiveX function call access www.kb.cert.org/vuls/id/656593 attempted-user 2008-0958 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|C|00|T|00|A|00|u|00|d|00|i|00|o|00|G|00|r|00|a|00|b|00|b|00|e|00|r|00|2|00|.|00|A|00|u|00|d|00|i|00|o|00|G|00|r|00|a|00|b|00|b|00|e|00|r|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q35>\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00(\.\x00\d\x00)?(?P=q35)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q36>\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00G\x00r\x00a\x00b\x00b\x00e\x00r\x002\x00(\.\x00\d\x00)?(?P=q36)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15287 WEB-ACTIVEX NCTAudioGrabber2 ActiveX function call unicode access www.kb.cert.org/vuls/id/656593 attempted-user 2008-0959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AAFA1E73-4842-4BEC-BC46-48C62E1C5C9C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m17>\x22|\x27|)(?P<id1>.+?)(?P=m17)(\s|>)[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AAFA1E73-4842-4BEC-BC46-48C62E1C5C9C\s*}?\s*(?P=q37)(\s|>).*(?P=id1)\s*\.\s*(GetAudioInformation|SetAudioInformation)|<object\s*[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AAFA1E73-4842-4BEC-BC46-48C62E1C5C9C\s*}?\s*(?P=q38)(\s|>)[^>]*\s*id\s*=\s*(?P<m18>\x22|\x27|)(?P<id2>.+?)(?P=m18)(\s|>).*(?P=id2)\.(GetAudioInformation|SetAudioInformation))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15288 WEB-ACTIVEX NCTAudioInformation2 ActiveX clsid access www.kb.cert.org/vuls/id/669265 attempted-user 2008-0959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|A|00|F|00|A|00|1|00|E|00|7|00|3|00|-|00|4|00|8|00|4|00|2|00|-|00|4|00|B|00|E|00|C|00|-|00|B|00|C|00|4|00|6|00|-|00|4|00|8|00|C|00|6|00|2|00|E|00|1|00|C|00|5|00|C|00|9|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q39>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00A\x00F\x00A\x001\x00E\x007\x003\x00-\x004\x008\x004\x002\x00-\x004\x00B\x00E\x00C\x00-\x00B\x00C\x004\x006\x00-\x004\x008\x00C\x006\x002\x00E\x001\x00C\x005\x00C\x009\x00C\x00(}\x00)?(?P=q39)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15289 WEB-ACTIVEX NCTAudioInformation2 ActiveX clsid unicode access www.kb.cert.org/vuls/id/669265 attempted-user 2008-0959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NCTAudioInformation2.AudioInformation2"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22NCTAudioInformation2\.AudioInformation2(\.\d)?\x22|\x27NCTAudioInformation2\.AudioInformation2(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*|.*(?P=v)\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTAudioInformation2\.AudioInformation2(\.\d)?\x22|\x27NCTAudioInformation2\.AudioInformation2(\.\d)?\x27)\s*\)(\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*|.*(?P=n)\s*\.\s*(GetAudioInformation|SetAudioInformation)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15290 WEB-ACTIVEX NCTAudioInformation2 ActiveX function call access www.kb.cert.org/vuls/id/669265 attempted-user 2008-0959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|C|00|T|00|A|00|u|00|d|00|i|00|o|00|I|00|n|00|f|00|o|00|r|00|m|00|a|00|t|00|i|00|o|00|n|00|2|00|.|00|A|00|u|00|d|00|i|00|o|00|I|00|n|00|f|00|o|00|r|00|m|00|a|00|t|00|i|00|o|00|n|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q40>\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00(\.\x00\d\x00)?(?P=q40)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q41>\x22|\x27|)N\x00C\x00T\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00.\x00A\x00u\x00d\x00i\x00o\x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x002\x00(\.\x00\d\x00)?(?P=q41)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15291 WEB-ACTIVEX NCTAudioInformation2 ActiveX function call unicode access www.kb.cert.org/vuls/id/669265 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1E216240-1B7D-11CF-9D53-00AA003C9CB6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1E216240-1B7D-11CF-9D53-00AA003C9CB6\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15307 WEB-ACTIVEX Microsoft Animation Control ActiveX clsid access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|E|00|2|00|1|00|6|00|2|00|4|00|0|00|-|00|1|00|B|00|7|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|D|00|5|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|3|00|C|00|9|00|C|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00E\x002\x001\x006\x002\x004\x000\x00-\x001\x00B\x007\x00D\x00-\x001\x001\x00C\x00F\x00-\x009\x00D\x005\x003\x00-\x000\x000\x00A\x00A\x000\x000\x003\x00C\x009\x00C\x00B\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15308 WEB-ACTIVEX Microsoft Animation Control ActiveX clsid unicode access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ComCtl2.Animation"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22ComCtl2\.Animation(\.\d)?\x22|\x27ComCtl2\.Animation(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ComCtl2\.Animation(\.\d)?\x22|\x27ComCtl2\.Animation(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15309 WEB-ACTIVEX Microsoft Animation Control ActiveX function call access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|o|00|m|00|C|00|t|00|l|00|2|00|.|00|A|00|n|00|i|00|m|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)C\x00o\x00m\x00C\x00t\x00l\x002\x00.\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)C\x00o\x00m\x00C\x00t\x00l\x002\x00.\x00A\x00n\x00i\x00m\x00a\x00t\x00i\x00o\x00n\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15310 WEB-ACTIVEX Microsoft Animation Control ActiveX function call unicode access support.microsoft.com/kb/960715 33663 attempted-user 2009-0305 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4788DE08-3552-49EA-AC8C-233DA52523B9"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4788DE08-3552-49EA-AC8C-233DA52523B9\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15311 WEB-ACTIVEX Research In Motion AxLoader ActiveX clsid access support.microsoft.com/kb/960715 33663 attempted-user 2009-0305 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|8|00|8|00|D|00|E|00|0|00|8|00|-|00|3|00|5|00|5|00|2|00|-|00|4|00|9|00|E|00|A|00|-|00|A|00|C|00|8|00|C|00|-|00|2|00|3|00|3|00|D|00|A|00|5|00|2|00|5|00|2|00|3|00|B|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x007\x008\x008\x00D\x00E\x000\x008\x00-\x003\x005\x005\x002\x00-\x004\x009\x00E\x00A\x00-\x00A\x00C\x008\x00C\x00-\x002\x003\x003\x00D\x00A\x005\x002\x005\x002\x003\x00B\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15312 WEB-ACTIVEX Research In Motion AxLoader ActiveX clsid unicode access support.microsoft.com/kb/960715 33663 attempted-user 2009-0305 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RIM.AxLoader"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22RIM\.AxLoader(\.\d)?\x22|\x27RIM\.AxLoader(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RIM\.AxLoader(\.\d)?\x22|\x27RIM\.AxLoader(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15313 WEB-ACTIVEX Research In Motion AxLoader ActiveX function call access support.microsoft.com/kb/960715 33663 attempted-user 2009-0305 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"R|00|I|00|M|00|.|00|A|00|x|00|L|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)R\x00I\x00M\x00.\x00A\x00x\x00L\x00o\x00a\x00d\x00e\x00r\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)R\x00I\x00M\x00.\x00A\x00x\x00L\x00o\x00a\x00d\x00e\x00r\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15314 WEB-ACTIVEX Research In Motion AxLoader ActiveX function call unicode access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15315 WEB-ACTIVEX Akamai DownloadManager ActiveX clsid access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|F|00|B|00|B|00|3|00|F|00|3|00|B|00|-|00|0|00|A|00|5|00|A|00|-|00|4|00|1|00|0|00|6|00|-|00|B|00|E|00|5|00|3|00|-|00|D|00|F|00|E|00|1|00|E|00|2|00|3|00|4|00|0|00|C|00|B|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00F\x00B\x00B\x003\x00F\x003\x00B\x00-\x000\x00A\x005\x00A\x00-\x004\x001\x000\x006\x00-\x00B\x00E\x005\x003\x00-\x00D\x00F\x00E\x001\x00E\x002\x003\x004\x000\x00C\x00B\x001\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15316 WEB-ACTIVEX Akamai DownloadManager ActiveX clsid unicode access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MANAGER.DLMCtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MANAGER\.DLMCtrl(\.\d)?\x22|\x27MANAGER\.DLMCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MANAGER\.DLMCtrl(\.\d)?\x22|\x27MANAGER\.DLMCtrl(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15317 WEB-ACTIVEX Akamai DownloadManager ActiveX function call access support.microsoft.com/kb/960715 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|A|00|N|00|A|00|G|00|E|00|R|00|.|00|D|00|L|00|M|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q11>\x22|\x27|)M\x00A\x00N\x00A\x00G\x00E\x00R\x00.\x00D\x00L\x00M\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q11)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q12>\x22|\x27|)M\x00A\x00N\x00A\x00G\x00E\x00R\x00.\x00D\x00L\x00M\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q12)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15318 WEB-ACTIVEX Akamai DownloadManager ActiveX function call unicode access support.microsoft.com/kb/960715 33726 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F85B4A10-B530-4D68-A714-7415838FD174"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F85B4A10-B530-4D68-A714-7415838FD174\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SelectDevice)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F85B4A10-B530-4D68-A714-7415838FD174\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SelectDevice))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15330 WEB-ACTIVEX Nokia Phoenix Service 1 ActiveX clsid access 33726 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|8|00|5|00|B|00|4|00|A|00|1|00|0|00|-|00|B|00|5|00|3|00|0|00|-|00|4|00|D|00|6|00|8|00|-|00|A|00|7|00|1|00|4|00|-|00|7|00|4|00|1|00|5|00|8|00|3|00|8|00|F|00|D|00|1|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x008\x005\x00B\x004\x00A\x001\x000\x00-\x00B\x005\x003\x000\x00-\x004\x00D\x006\x008\x00-\x00A\x007\x001\x004\x00-\x007\x004\x001\x005\x008\x003\x008\x00F\x00D\x001\x007\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15331 WEB-ACTIVEX Nokia Phoenix Service 1 ActiveX clsid unicode access 33726 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"929A0D77-044A-497F-8FDF-8EDE81F6251A"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*929A0D77-044A-497F-8FDF-8EDE81F6251A\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(SelectDevice)|<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*929A0D77-044A-497F-8FDF-8EDE81F6251A\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SelectDevice))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15332 WEB-ACTIVEX Nokia Phoenix Service 2 ActiveX clsid access 33726 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|2|00|9|00|A|00|0|00|D|00|7|00|7|00|-|00|0|00|4|00|4|00|A|00|-|00|4|00|9|00|7|00|F|00|-|00|8|00|F|00|D|00|F|00|-|00|8|00|E|00|D|00|E|00|8|00|1|00|F|00|6|00|2|00|5|00|1|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x002\x009\x00A\x000\x00D\x007\x007\x00-\x000\x004\x004\x00A\x00-\x004\x009\x007\x00F\x00-\x008\x00F\x00D\x00F\x00-\x008\x00E\x00D\x00E\x008\x001\x00F\x006\x002\x005\x001\x00A\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15333 WEB-ACTIVEX Nokia Phoenix Service 2 ActiveX clsid unicode access 33535 attempted-user 2009-0465 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B5576893-F948-4E0F-9BE1-A37CB56D66FF"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B5576893-F948-4E0F-9BE1-A37CB56D66FF\s*}?\s*(?P=q22)(\s|>).*(?P=id1)\s*\.\s*(SaveDoc)|<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B5576893-F948-4E0F-9BE1-A37CB56D66FF\s*}?\s*(?P=q23)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(SaveDoc))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15346 WEB-ACTIVEX Synactis ALL In-The-Box ActiveX clsid access 33535 attempted-user 2009-0465 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|5|00|5|00|7|00|6|00|8|00|9|00|3|00|-|00|F|00|9|00|4|00|8|00|-|00|4|00|E|00|0|00|F|00|-|00|9|00|B|00|E|00|1|00|-|00|A|00|3|00|7|00|C|00|B|00|5|00|6|00|D|00|6|00|6|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q24>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x005\x005\x007\x006\x008\x009\x003\x00-\x00F\x009\x004\x008\x00-\x004\x00E\x000\x00F\x00-\x009\x00B\x00E\x001\x00-\x00A\x003\x007\x00C\x00B\x005\x006\x00D\x006\x006\x00F\x00F\x00(}\x00)?(?P=q24)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15347 WEB-ACTIVEX Synactis ALL In-The-Box ActiveX clsid unicode access 33535 attempted-user 2009-0465 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"All_In_The_Box.AllBox"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveDoc\s*|.*(?P=v)\s*\.\s*SaveDoc\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\)(\s*\.\s*SaveDoc\s*|.*(?P=n)\s*\.\s*SaveDoc\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15348 WEB-ACTIVEX Synactis ALL In-The-Box ActiveX function call access 33535 attempted-user 2009-0465 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|l|00|l|00|_|00|I|00|n|00|_|00|T|00|h|00|e|00|_|00|B|00|o|00|x|00|.|00|A|00|l|00|l|00|B|00|o|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q25>\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q25)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q26>\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q26)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15349 WEB-ACTIVEX Synactis ALL In-The-Box ActiveX function call unicode access 33515 attempted-user 2009-0389 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*441E9D47-9F52-11D6-9672-0080C88B3613\s*}?\s*(?P=q27)(\s|>).*(?P=id1)\s*\.\s*(WriteIniFileString|ShellExecute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*441E9D47-9F52-11D6-9672-0080C88B3613\s*}?\s*(?P=q28)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\.(WriteIniFileString|ShellExecute))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15350 WEB-ACTIVEX Web on Windows ActiveX clsid access 33515 attempted-user 2009-0389 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|1|00|E|00|9|00|D|00|4|00|7|00|-|00|9|00|F|00|5|00|2|00|-|00|1|00|1|00|D|00|6|00|-|00|9|00|6|00|7|00|2|00|-|00|0|00|0|00|8|00|0|00|C|00|8|00|8|00|B|00|3|00|6|00|1|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q29>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x001\x00E\x009\x00D\x004\x007\x00-\x009\x00F\x005\x002\x00-\x001\x001\x00D\x006\x00-\x009\x006\x007\x002\x00-\x000\x000\x008\x000\x00C\x008\x008\x00B\x003\x006\x001\x003\x00(}\x00)?(?P=q29)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15351 WEB-ACTIVEX Web on Windows ActiveX clsid unicode access 33515 attempted-user 2009-0389 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"All_In_The_Box.AllBox"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(WriteIniFileString|ShellExecute)\s*|.*(?P=v)\s*\.\s*(WriteIniFileString|ShellExecute)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22All_In_The_Box\.AllBox(\.\d)?\x22|\x27All_In_The_Box\.AllBox(\.\d)?\x27)\s*\)(\s*\.\s*(WriteIniFileString|ShellExecute)\s*|.*(?P=n)\s*\.\s*(WriteIniFileString|ShellExecute)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15352 WEB-ACTIVEX Web on Windows ActiveX function call access 33515 attempted-user 2009-0389 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|l|00|l|00|_|00|I|00|n|00|_|00|T|00|h|00|e|00|_|00|B|00|o|00|x|00|.|00|A|00|l|00|l|00|B|00|o|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q30>\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q30)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q31>\x22|\x27|)A\x00l\x00l\x00_\x00I\x00n\x00_\x00T\x00h\x00e\x00_\x00B\x00o\x00x\x00.\x00A\x00l\x00l\x00B\x00o\x00x\x00(\.\x00\d\x00)?(?P=q31)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15353 WEB-ACTIVEX Web on Windows ActiveX function call unicode access 33867 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9A077D0D-B4A6-4EC0-B6CF-98526DF589E4\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9A077D0D-B4A6-4EC0-B6CF-98526DF589E4\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(DeleteFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15372 WEB-ACTIVEX iDefense COMRaider ActiveX clsid access 33867 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|A|00|0|00|7|00|7|00|D|00|0|00|D|00|-|00|B|00|4|00|A|00|6|00|-|00|4|00|E|00|C|00|0|00|-|00|B|00|6|00|C|00|F|00|-|00|9|00|8|00|5|00|2|00|6|00|D|00|F|00|5|00|8|00|9|00|E|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00A\x000\x007\x007\x00D\x000\x00D\x00-\x00B\x004\x00A\x006\x00-\x004\x00E\x00C\x000\x00-\x00B\x006\x00C\x00F\x00-\x009\x008\x005\x002\x006\x00D\x00F\x005\x008\x009\x00E\x004\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15373 WEB-ACTIVEX iDefense COMRaider ActiveX clsid unicode access 33867 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"vbDevKit.CVariantFileSystem"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22vbDevKit\.CVariantFileSystem(\.\d)?\x22|\x27vbDevKit\.CVariantFileSystem(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=v)\s*\.\s*DeleteFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22vbDevKit\.CVariantFileSystem(\.\d)?\x22|\x27vbDevKit\.CVariantFileSystem(\.\d)?\x27)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=n)\s*\.\s*DeleteFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15374 WEB-ACTIVEX iDefense COMRaider ActiveX function call access 33867 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"v|00|b|00|D|00|e|00|v|00|K|00|i|00|t|00|.|00|C|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|F|00|i|00|l|00|e|00|S|00|y|00|s|00|t|00|e|00|m|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)v\x00b\x00D\x00e\x00v\x00K\x00i\x00t\x00.\x00C\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00F\x00i\x00l\x00e\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q10>\x22|\x27|)v\x00b\x00D\x00e\x00v\x00K\x00i\x00t\x00.\x00C\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00F\x00i\x00l\x00e\x00S\x00y\x00s\x00t\x00e\x00m\x00(\.\x00\d\x00)?(?P=q10)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15375 WEB-ACTIVEX iDefense COMRaider ActiveX function call unicode access 33920 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8FEFF364-6A5F-4966-A917-A3AC28411659\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(SetExternalPlayer)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8FEFF364-6A5F-4966-A917-A3AC28411659\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(SetExternalPlayer))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15376 WEB-ACTIVEX Sopcast SopCore ActiveX clsid access 33920 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|F|00|E|00|F|00|F|00|3|00|6|00|4|00|-|00|6|00|A|00|5|00|F|00|-|00|4|00|9|00|6|00|6|00|-|00|A|00|9|00|1|00|7|00|-|00|A|00|3|00|A|00|C|00|2|00|8|00|4|00|1|00|1|00|6|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q13>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00F\x00E\x00F\x00F\x003\x006\x004\x00-\x006\x00A\x005\x00F\x00-\x004\x009\x006\x006\x00-\x00A\x009\x001\x007\x00-\x00A\x003\x00A\x00C\x002\x008\x004\x001\x001\x006\x005\x009\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15377 WEB-ACTIVEX Sopcast SopCore ActiveX clsid unicode access 33920 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SOPCORE.SopCoreCtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SOPCORE\.SopCoreCtrl(\.\d)?\x22|\x27SOPCORE\.SopCoreCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SetExternalPlayer\s*|.*(?P=v)\s*\.\s*SetExternalPlayer\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SOPCORE\.SopCoreCtrl(\.\d)?\x22|\x27SOPCORE\.SopCoreCtrl(\.\d)?\x27)\s*\)(\s*\.\s*SetExternalPlayer\s*|.*(?P=n)\s*\.\s*SetExternalPlayer\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15378 WEB-ACTIVEX Sopcast SopCore ActiveX function call access 33920 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|O|00|P|00|C|00|O|00|R|00|E|00|.|00|S|00|o|00|p|00|C|00|o|00|r|00|e|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)S\x00O\x00P\x00C\x00O\x00R\x00E\x00.\x00S\x00o\x00p\x00C\x00o\x00r\x00e\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q15>\x22|\x27|)S\x00O\x00P\x00C\x00O\x00R\x00E\x00.\x00S\x00o\x00p\x00C\x00o\x00r\x00e\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15379 WEB-ACTIVEX Sopcast SopCore ActiveX function call unicode access 33918 attempted-user 2009-0208 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000032-9593-4264-8B29-930B3E4EDCCD\s*}?\s*(?P=q16)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15380 WEB-ACTIVEX HP Virtual Rooms v7 ActiveX clsid access 33918 attempted-user 2009-0208 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|0|00|3|00|2|00|-|00|9|00|5|00|9|00|3|00|-|00|4|00|2|00|6|00|4|00|-|00|8|00|B|00|2|00|9|00|-|00|9|00|3|00|0|00|B|00|3|00|E|00|4|00|E|00|D|00|C|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q17>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x000\x000\x000\x003\x002\x00-\x009\x005\x009\x003\x00-\x004\x002\x006\x004\x00-\x008\x00B\x002\x009\x00-\x009\x003\x000\x00B\x003\x00E\x004\x00E\x00D\x00C\x00C\x00D\x00(}\x00)?(?P=q17)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15381 WEB-ACTIVEX HP Virtual Rooms v7 ActiveX clsid unicode access misc-attack 2009-0094 udp $EXTERNAL_NET any -> $HOME_NET 137 gid:3; classtype:misc-attack; metadata: engine shared, soid 3|15387, policy security-ips drop; 15387 NETBIOS udp WINS WPAD registration attempt www.microsoft.com/technet/security/bulletin/MS09-008.mspx 34250 attempted-user 2009-1217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|01 00 00 00|"; content:" EMF"; within:4; distance:36; byte_jump:4,-40,relative,little; content:"F|00 00 00|,|00 00 00| |00 00 00|"; within:12; distance:-8; content:"F|00 00 00|"; distance:0; content:"|08|@|00 06|"; within:4; distance:12; byte_test:4,>,4261412864,28,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15430 WEB-CLIENT Microsoft EMF+ GpFont.SetData buffer overflow attempt attempted-user 2000-0834 tcp any [139,445] -> any any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15453, policy balanced-ips drop, policy security-ips drop, service netbios-ns; 15453 NETBIOS SMB replay attempt via NTLMSSP - overlapping encryption keys detected www.microsoft.com/technet/security/bulletin/MS10-012.mspx attempted-admin 2009-1128 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,ppt.download; metadata: engine shared, soid 3|15498, service http, policy balanced-ips drop, policy security-ips drop; 15498 WEB-CLIENT Microsoft PowerPoint CString atom overflow attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2009-0221 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|15500, service http, policy balanced-ips drop, policy security-ips drop; 15500 WEB-CLIENT Microsoft PowerPoint LinkedSlide memory corruption www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2009-0224 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|15501, service http, policy security-ips drop; 15501 WEB-CLIENT Microsoft Powerpoint ParaBuildAtom memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2009-0224 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|15502, service http, policy security-ips drop; 15502 WEB-CLIENT Microsoft Powerpoint DiagramBuildContainer memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2009-1130 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|15505, service http, policy balanced-ips drop, policy security-ips drop; 15505 WEB-CLIENT Microsoft PowerPoint HashCode10Atom memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2009-1131 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|15506, service http, policy balanced-ips drop, policy security-ips drop; 15506 WEB-CLIENT Microsoft PowerPoint CurrentUserAtom remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx protocol-command-decode 2003-0605 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3,4; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 15512 NETBIOS DCERPC NCACN-IP-TCP rpcss2 _RemoteGetClassObject attempt www.microsoft.com/technet/security/bulletin/MS03-039.mspx protocol-command-decode 2003-0605 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:3,4; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 15513 NETBIOS DCERPC NCADG-IP-UDP rpcss2 _RemoteGetClassObject attempt www.microsoft.com/technet/security/bulletin/MS03-039.mspx attempted-user 2009-1533 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,works.download; metadata: engine shared, soid 3|15526, service http, policy balanced-ips drop, policy security-ips drop; 15526 EXPLOIT Microsoft Works 4.x converter font name buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-024.mspx attempted-admin 2009-1138 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15527, service ldap, policy balanced-ips drop, policy security-ips drop; 15527 EXPLOIT Microsoft Active Directory LDAP denial of service attempt www.microsoft.com/technet/security/bulletin/MS09-018.mspx protocol-command-decode 2009-0230 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15528, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 15528 NETBIOS DCERPC NCACN-IP-TCP spoolss RpcSetPrinterDataEx attempt www.microsoft.com/technet/security/bulletin/MS09-022.mspx attempted-admin 2009-1532 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15540, service http, policy balanced-ips drop, policy security-ips drop; 15540 WEB-CLIENT Microsoft IE DOM memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"648A5600-2C6E-101B-82B6-000000000014"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*648A5600-2C6E-101B-82B6-000000000014\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15543 WEB-ACTIVEX Microsoft Communications Control v6 ActiveX clsid access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|4|00|8|00|A|00|5|00|6|00|0|00|0|00|-|00|2|00|C|00|6|00|E|00|-|00|1|00|0|00|1|00|B|00|-|00|8|00|2|00|B|00|6|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x004\x008\x00A\x005\x006\x000\x000\x00-\x002\x00C\x006\x00E\x00-\x001\x000\x001\x00B\x00-\x008\x002\x00B\x006\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x001\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15544 WEB-ACTIVEX Microsoft Communications Control v6 ActiveX clsid unicode access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MSCOMMLib.MSComm"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22MSCOMMLib\.MSComm(\.\d)?\x22|\x27MSCOMMLib\.MSComm(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MSCOMMLib\.MSComm(\.\d)?\x22|\x27MSCOMMLib\.MSComm(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15545 WEB-ACTIVEX Microsoft Communications Control v6 ActiveX function call access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|S|00|C|00|O|00|M|00|M|00|L|00|i|00|b|00|.|00|M|00|S|00|C|00|o|00|m|00|m|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)M\x00S\x00C\x00O\x00M\x00M\x00L\x00i\x00b\x00.\x00M\x00S\x00C\x00o\x00m\x00m\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)M\x00S\x00C\x00O\x00M\x00M\x00L\x00i\x00b\x00.\x00M\x00S\x00C\x00o\x00m\x00m\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15546 WEB-ACTIVEX Microsoft Communications Control v6 ActiveX function call unicode access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3\s*}?\s*(?P=q5)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15547 WEB-ACTIVEX eBay Picture Uploads control 1 ActiveX clsid access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|C|00|3|00|9|00|3|00|7|00|6|00|E|00|-|00|F|00|A|00|9|00|D|00|-|00|4|00|3|00|4|00|9|00|-|00|B|00|A|00|C|00|C|00|-|00|D|00|3|00|0|00|5|00|C|00|1|00|7|00|5|00|0|00|E|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00C\x003\x009\x003\x007\x006\x00E\x00-\x00F\x00A\x009\x00D\x00-\x004\x003\x004\x009\x00-\x00B\x00A\x00C\x00C\x00-\x00D\x003\x000\x005\x00C\x001\x007\x005\x000\x00E\x00F\x003\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15548 WEB-ACTIVEX eBay Picture Uploads control 1 ActiveX clsid unicode access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EPUWalControl.EPUImageControl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22EPUWalControl\.EPUImageControl(\.\d)?\x22|\x27EPUWalControl\.EPUImageControl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EPUWalControl\.EPUImageControl(\.\d)?\x22|\x27EPUWalControl\.EPUImageControl(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15549 WEB-ACTIVEX eBay Picture Uploads control 1 ActiveX function call access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|P|00|U|00|W|00|a|00|l|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|E|00|P|00|U|00|I|00|m|00|a|00|g|00|e|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q7>\x22|\x27|)E\x00P\x00U\x00W\x00a\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00E\x00P\x00U\x00I\x00m\x00a\x00g\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q8>\x22|\x27|)E\x00P\x00U\x00W\x00a\x00l\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00E\x00P\x00U\x00I\x00m\x00a\x00g\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(\.\x00\d\x00)?(?P=q8)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15550 WEB-ACTIVEX eBay Picture Uploads control 1 ActiveX function call unicode access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15551 WEB-ACTIVEX eBay Picture Uploads control 2 ActiveX clsid access support.microsoft.com/kb/969898 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|3|00|E|00|B|00|1|00|6|00|7|00|0|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|E|00|D|00|A|00|-|00|B|00|5|00|7|00|0|00|-|00|0|00|B|00|5|00|1|00|A|00|A|00|E|00|8|00|1|00|6|00|7|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x003\x00E\x00B\x001\x006\x007\x000\x00-\x008\x004\x00E\x000\x00-\x004\x00E\x00D\x00A\x00-\x00B\x005\x007\x000\x00-\x000\x00B\x005\x001\x00A\x00A\x00E\x008\x001\x006\x007\x009\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15552 WEB-ACTIVEX eBay Picture Uploads control 2 ActiveX clsid unicode access support.microsoft.com/kb/969898 35256 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F6908F83-ADA6-11D0-87AA-00AA00198702"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F6908F83-ADA6-11D0-87AA-00AA00198702\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Accept)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F6908F83-ADA6-11D0-87AA-00AA00198702\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Accept))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15557 WEB-ACTIVEX SAP AG SAPgui EnjoySAP ActiveX clsid access 35256 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|6|00|9|00|0|00|8|00|F|00|8|00|3|00|-|00|A|00|D|00|A|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|A|00|A|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|1|00|9|00|8|00|7|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x006\x009\x000\x008\x00F\x008\x003\x00-\x00A\x00D\x00A\x006\x00-\x001\x001\x00D\x000\x00-\x008\x007\x00A\x00A\x00-\x000\x000\x00A\x00A\x000\x000\x001\x009\x008\x007\x000\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15558 WEB-ACTIVEX SAP AG SAPgui EnjoySAP ActiveX clsid unicode access attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*011B3619-FE63-4814-8A84-15A194CE9CE3\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15588 WEB-ACTIVEX Microsoft Video 1 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|1|00|1|00|B|00|3|00|6|00|1|00|9|00|-|00|F|00|E|00|6|00|3|00|-|00|4|00|8|00|1|00|4|00|-|00|8|00|A|00|8|00|4|00|-|00|1|00|5|00|A|00|1|00|9|00|4|00|C|00|E|00|9|00|C|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x001\x001\x00B\x003\x006\x001\x009\x00-\x00F\x00E\x006\x003\x00-\x004\x008\x001\x004\x00-\x008\x00A\x008\x004\x00-\x001\x005\x00A\x001\x009\x004\x00C\x00E\x009\x00C\x00E\x003\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15589 WEB-ACTIVEX Microsoft Video 1 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333\s*}?\s*(?P=q3)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15590 WEB-ACTIVEX Microsoft Video 10 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|D|00|F|00|7|00|D|00|1|00|2|00|6|00|-|00|4|00|0|00|5|00|0|00|-|00|4|00|7|00|F|00|0|00|-|00|A|00|7|00|C|00|F|00|-|00|4|00|C|00|4|00|C|00|A|00|9|00|2|00|4|00|1|00|3|00|3|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q4>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00D\x00F\x007\x00D\x001\x002\x006\x00-\x004\x000\x005\x000\x00-\x004\x007\x00F\x000\x00-\x00A\x007\x00C\x00F\x00-\x004\x00C\x004\x00C\x00A\x009\x002\x004\x001\x003\x003\x003\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15591 WEB-ACTIVEX Microsoft Video 10 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C\s*}?\s*(?P=q5)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15592 WEB-ACTIVEX Microsoft Video 11 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|C|00|6|00|3|00|E|00|4|00|E|00|B|00|-|00|4|00|C|00|E|00|A|00|-|00|4|00|1|00|B|00|8|00|-|00|9|00|1|00|9|00|C|00|-|00|E|00|9|00|4|00|7|00|E|00|A|00|1|00|9|00|A|00|7|00|7|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00C\x006\x003\x00E\x004\x00E\x00B\x00-\x004\x00C\x00E\x00A\x00-\x004\x001\x00B\x008\x00-\x009\x001\x009\x00C\x00-\x00E\x009\x004\x007\x00E\x00A\x001\x009\x00A\x007\x007\x00C\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15593 WEB-ACTIVEX Microsoft Video 11 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"334125C0-77E5-11D3-B653-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*334125C0-77E5-11D3-B653-00C04F79498E\s*}?\s*(?P=q7)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15594 WEB-ACTIVEX Microsoft Video 12 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|3|00|4|00|1|00|2|00|5|00|C|00|0|00|-|00|7|00|7|00|E|00|5|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x003\x004\x001\x002\x005\x00C\x000\x00-\x007\x007\x00E\x005\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x003\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15595 WEB-ACTIVEX Microsoft Video 12 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37B0353C-A4C8-11D2-B634-00C04F79498E\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15596 WEB-ACTIVEX Microsoft Video 13 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|7|00|B|00|0|00|3|00|5|00|3|00|C|00|-|00|A|00|4|00|C|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x00B\x000\x003\x005\x003\x00C\x00-\x00A\x004\x00C\x008\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15597 WEB-ACTIVEX Microsoft Video 13 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37B03543-A4C8-11D2-B634-00C04F79498E\s*}?\s*(?P=q11)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15598 WEB-ACTIVEX Microsoft Video 14 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|7|00|B|00|0|00|3|00|5|00|4|00|3|00|-|00|A|00|4|00|C|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q12>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x00B\x000\x003\x005\x004\x003\x00-\x00A\x004\x00C\x008\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15599 WEB-ACTIVEX Microsoft Video 14 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*37B03544-A4C8-11D2-B634-00C04F79498E\s*}?\s*(?P=q13)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15600 WEB-ACTIVEX Microsoft Video 15 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|7|00|B|00|0|00|3|00|5|00|4|00|4|00|-|00|A|00|4|00|C|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q14>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x007\x00B\x000\x003\x005\x004\x004\x00-\x00A\x004\x00C\x008\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15601 WEB-ACTIVEX Microsoft Video 15 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*418008F3-CF67-4668-9628-10DC52BE1D08\s*}?\s*(?P=q15)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15602 WEB-ACTIVEX Microsoft Video 16 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|8|00|0|00|0|00|8|00|F|00|3|00|-|00|C|00|F|00|6|00|7|00|-|00|4|00|6|00|6|00|8|00|-|00|9|00|6|00|2|00|8|00|-|00|1|00|0|00|D|00|C|00|5|00|2|00|B|00|E|00|1|00|D|00|0|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q16>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x001\x008\x000\x000\x008\x00F\x003\x00-\x00C\x00F\x006\x007\x00-\x004\x006\x006\x008\x00-\x009\x006\x002\x008\x00-\x001\x000\x00D\x00C\x005\x002\x00B\x00E\x001\x00D\x000\x008\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15603 WEB-ACTIVEX Microsoft Video 16 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42\s*}?\s*(?P=q17)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15604 WEB-ACTIVEX Microsoft Video 17 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|A|00|5|00|8|00|6|00|9|00|C|00|F|00|-|00|9|00|2|00|9|00|D|00|-|00|4|00|0|00|4|00|0|00|-|00|A|00|E|00|0|00|3|00|-|00|F|00|C|00|A|00|F|00|C|00|5|00|B|00|9|00|C|00|D|00|4|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q18>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00A\x005\x008\x006\x009\x00C\x00F\x00-\x009\x002\x009\x00D\x00-\x004\x000\x004\x000\x00-\x00A\x00E\x000\x003\x00-\x00F\x00C\x00A\x00F\x00C\x005\x00B\x009\x00C\x00D\x004\x002\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15605 WEB-ACTIVEX Microsoft Video 17 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4\s*}?\s*(?P=q19)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15606 WEB-ACTIVEX Microsoft Video 18 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|7|00|7|00|F|00|A|00|A|00|1|00|8|00|-|00|4|00|5|00|1|00|8|00|-|00|4|00|4|00|5|00|E|00|-|00|8|00|F|00|7|00|0|00|-|00|1|00|4|00|7|00|3|00|F|00|8|00|C|00|F|00|4|00|B|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q20>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x007\x007\x00F\x00A\x00A\x001\x008\x00-\x004\x005\x001\x008\x00-\x004\x004\x005\x00E\x00-\x008\x00F\x007\x000\x00-\x001\x004\x007\x003\x00F\x008\x00C\x00F\x004\x00B\x00A\x004\x00(}\x00)?(?P=q20)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15607 WEB-ACTIVEX Microsoft Video 18 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q21>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q21)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15608 WEB-ACTIVEX Microsoft Video 19 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|9|00|D|00|C|00|4|00|7|00|A|00|8|00|-|00|1|00|1|00|6|00|C|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q22>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x009\x00D\x00C\x004\x007\x00A\x008\x00-\x001\x001\x006\x00C\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q22)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15609 WEB-ACTIVEX Microsoft Video 19 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0149EEDF-D08F-4142-8D73-D23903D21E90\s*}?\s*(?P=q23)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15610 WEB-ACTIVEX Microsoft Video 2 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|1|00|4|00|9|00|E|00|E|00|D|00|F|00|-|00|D|00|0|00|8|00|F|00|-|00|4|00|1|00|4|00|2|00|-|00|8|00|D|00|7|00|3|00|-|00|D|00|2|00|3|00|9|00|0|00|3|00|D|00|2|00|1|00|E|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q24>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x001\x004\x009\x00E\x00E\x00D\x00F\x00-\x00D\x000\x008\x00F\x00-\x004\x001\x004\x002\x00-\x008\x00D\x007\x003\x00-\x00D\x002\x003\x009\x000\x003\x00D\x002\x001\x00E\x009\x000\x00(}\x00)?(?P=q24)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15611 WEB-ACTIVEX Microsoft Video 2 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3\s*}?\s*(?P=q25)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15612 WEB-ACTIVEX Microsoft Video 20 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|F|00|9|00|C|00|B|00|1|00|4|00|D|00|-|00|4|00|8|00|E|00|4|00|-|00|4|00|3|00|B|00|6|00|-|00|9|00|3|00|4|00|6|00|-|00|1|00|A|00|E|00|B|00|C|00|3|00|9|00|C|00|6|00|4|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q26>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00F\x009\x00C\x00B\x001\x004\x00D\x00-\x004\x008\x00E\x004\x00-\x004\x003\x00B\x006\x00-\x009\x003\x004\x006\x00-\x001\x00A\x00E\x00B\x00C\x003\x009\x00C\x006\x004\x00D\x003\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15613 WEB-ACTIVEX Microsoft Video 20 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*823535A0-0318-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q27)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15614 WEB-ACTIVEX Microsoft Video 21 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|2|00|3|00|5|00|3|00|5|00|A|00|0|00|-|00|0|00|3|00|1|00|8|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q28>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x002\x003\x005\x003\x005\x00A\x000\x00-\x000\x003\x001\x008\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q28)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15615 WEB-ACTIVEX Microsoft Video 21 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q29>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB\s*}?\s*(?P=q29)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15616 WEB-ACTIVEX Microsoft Video 22 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|8|00|7|00|2|00|F|00|F|00|1|00|B|00|-|00|9|00|8|00|F|00|A|00|-|00|4|00|D|00|7|00|A|00|-|00|8|00|D|00|9|00|3|00|-|00|C|00|9|00|F|00|1|00|0|00|5|00|5|00|F|00|8|00|5|00|B|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q30>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x008\x007\x002\x00F\x00F\x001\x00B\x00-\x009\x008\x00F\x00A\x00-\x004\x00D\x007\x00A\x00-\x008\x00D\x009\x003\x00-\x00C\x009\x00F\x001\x000\x005\x005\x00F\x008\x005\x00B\x00B\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15617 WEB-ACTIVEX Microsoft Video 22 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q31>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E\s*}?\s*(?P=q31)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15618 WEB-ACTIVEX Microsoft Video 23 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|A|00|6|00|7|00|4|00|B|00|4|00|C|00|-|00|1|00|F|00|6|00|3|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q32>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00A\x006\x007\x004\x00B\x004\x00C\x00-\x001\x00F\x006\x003\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q32)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15619 WEB-ACTIVEX Microsoft Video 23 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q33>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E\s*}?\s*(?P=q33)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15620 WEB-ACTIVEX Microsoft Video 24 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|A|00|6|00|7|00|4|00|B|00|4|00|D|00|-|00|1|00|F|00|6|00|3|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q34>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00A\x006\x007\x004\x00B\x004\x00D\x00-\x001\x00F\x006\x003\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q34)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15621 WEB-ACTIVEX Microsoft Video 24 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q35>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9CD64701-BDF3-4D14-8E03-F12983D86664\s*}?\s*(?P=q35)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15622 WEB-ACTIVEX Microsoft Video 25 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|C|00|D|00|6|00|4|00|7|00|0|00|1|00|-|00|B|00|D|00|F|00|3|00|-|00|4|00|D|00|1|00|4|00|-|00|8|00|E|00|0|00|3|00|-|00|F|00|1|00|2|00|9|00|8|00|3|00|D|00|8|00|6|00|6|00|6|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q36>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00C\x00D\x006\x004\x007\x000\x001\x00-\x00B\x00D\x00F\x003\x00-\x004\x00D\x001\x004\x00-\x008\x00E\x000\x003\x00-\x00F\x001\x002\x009\x008\x003\x00D\x008\x006\x006\x006\x004\x00(}\x00)?(?P=q36)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15623 WEB-ACTIVEX Microsoft Video 25 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C\s*}?\s*(?P=q37)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15624 WEB-ACTIVEX Microsoft Video 26 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|E|00|7|00|7|00|A|00|A|00|C|00|4|00|-|00|3|00|5|00|E|00|5|00|-|00|4|00|2|00|A|00|1|00|-|00|B|00|D|00|C|00|2|00|-|00|8|00|F|00|3|00|F|00|F|00|3|00|9|00|9|00|8|00|4|00|7|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q38>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x00E\x007\x007\x00A\x00A\x00C\x004\x00-\x003\x005\x00E\x005\x00-\x004\x002\x00A\x001\x00-\x00B\x00D\x00C\x002\x00-\x008\x00F\x003\x00F\x00F\x003\x009\x009\x008\x004\x007\x00C\x00(}\x00)?(?P=q38)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15625 WEB-ACTIVEX Microsoft Video 26 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q39>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q39)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15626 WEB-ACTIVEX Microsoft Video 27 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|1|00|A|00|2|00|B|00|1|00|C|00|4|00|-|00|0|00|E|00|3|00|A|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q40>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x001\x00A\x002\x00B\x001\x00C\x004\x00-\x000\x00E\x003\x00A\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15627 WEB-ACTIVEX Microsoft Video 27 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q41>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E\s*}?\s*(?P=q41)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15628 WEB-ACTIVEX Microsoft Video 28 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|2|00|E|00|3|00|0|00|7|00|4|00|E|00|-|00|6|00|C|00|3|00|D|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q42>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x002\x00E\x003\x000\x007\x004\x00E\x00-\x006\x00C\x003\x00D\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x003\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q42)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15629 WEB-ACTIVEX Microsoft Video 28 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q43>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A2E30750-6C3D-11D3-B653-00C04F79498E\s*}?\s*(?P=q43)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15630 WEB-ACTIVEX Microsoft Video 29 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|2|00|E|00|3|00|0|00|7|00|5|00|0|00|-|00|6|00|C|00|3|00|D|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q44>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x002\x00E\x003\x000\x007\x005\x000\x00-\x006\x00C\x003\x00D\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x003\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q44)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15631 WEB-ACTIVEX Microsoft Video 29 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q45>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0369B4E5-45B6-11D3-B650-00C04F79498E\s*}?\s*(?P=q45)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15632 WEB-ACTIVEX Microsoft Video 3 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|3|00|6|00|9|00|B|00|4|00|E|00|5|00|-|00|4|00|5|00|B|00|6|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q46>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x006\x009\x00B\x004\x00E\x005\x00-\x004\x005\x00B\x006\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x000\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q46)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15633 WEB-ACTIVEX Microsoft Video 3 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q47>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE\s*}?\s*(?P=q47)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15634 WEB-ACTIVEX Microsoft Video 30 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|8|00|D|00|C|00|F|00|3|00|D|00|5|00|-|00|0|00|7|00|8|00|0|00|-|00|4|00|E|00|F|00|4|00|-|00|8|00|A|00|8|00|3|00|-|00|2|00|C|00|F|00|F|00|A|00|A|00|C|00|B|00|8|00|A|00|C|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q48>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x008\x00D\x00C\x00F\x003\x00D\x005\x00-\x000\x007\x008\x000\x00-\x004\x00E\x00F\x004\x00-\x008\x00A\x008\x003\x00-\x002\x00C\x00F\x00F\x00A\x00A\x00C\x00B\x008\x00A\x00C\x00E\x00(}\x00)?(?P=q48)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15635 WEB-ACTIVEX Microsoft Video 30 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q49>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AD8E510D-217F-409B-8076-29C5E73B98E8\s*}?\s*(?P=q49)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15636 WEB-ACTIVEX Microsoft Video 31 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|D|00|8|00|E|00|5|00|1|00|0|00|D|00|-|00|2|00|1|00|7|00|F|00|-|00|4|00|0|00|9|00|B|00|-|00|8|00|0|00|7|00|6|00|-|00|2|00|9|00|C|00|5|00|E|00|7|00|3|00|B|00|9|00|8|00|E|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q50>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00D\x008\x00E\x005\x001\x000\x00D\x00-\x002\x001\x007\x00F\x00-\x004\x000\x009\x00B\x00-\x008\x000\x007\x006\x00-\x002\x009\x00C\x005\x00E\x007\x003\x00B\x009\x008\x00E\x008\x00(}\x00)?(?P=q50)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15637 WEB-ACTIVEX Microsoft Video 31 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2009-2494 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B0EDF163-910A-11D2-B632-00C04F79498E\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15638 WEB-ACTIVEX Microsoft Video 32 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2009-2494 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|0|00|E|00|D|00|F|00|1|00|6|00|3|00|-|00|9|00|1|00|0|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x000\x00E\x00D\x00F\x001\x006\x003\x00-\x009\x001\x000\x00A\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x002\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15639 WEB-ACTIVEX Microsoft Video 32 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q53>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B64016F3-C9A2-4066-96F0-BD9563314726\s*}?\s*(?P=q53)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15640 WEB-ACTIVEX Microsoft Video 33 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|6|00|4|00|0|00|1|00|6|00|F|00|3|00|-|00|C|00|9|00|A|00|2|00|-|00|4|00|0|00|6|00|6|00|-|00|9|00|6|00|F|00|0|00|-|00|B|00|D|00|9|00|5|00|6|00|3|00|3|00|1|00|4|00|7|00|2|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q54>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x006\x004\x000\x001\x006\x00F\x003\x00-\x00C\x009\x00A\x002\x00-\x004\x000\x006\x006\x00-\x009\x006\x00F\x000\x00-\x00B\x00D\x009\x005\x006\x003\x003\x001\x004\x007\x002\x006\x00(}\x00)?(?P=q54)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15641 WEB-ACTIVEX Microsoft Video 33 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BB530C63-D9DF-4B49-9439-63453962E598"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q55>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BB530C63-D9DF-4B49-9439-63453962E598\s*}?\s*(?P=q55)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15642 WEB-ACTIVEX Microsoft Video 34 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|B|00|5|00|3|00|0|00|C|00|6|00|3|00|-|00|D|00|9|00|D|00|F|00|-|00|4|00|B|00|4|00|9|00|-|00|9|00|4|00|3|00|9|00|-|00|6|00|3|00|4|00|5|00|3|00|9|00|6|00|2|00|E|00|5|00|9|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q56>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00B\x005\x003\x000\x00C\x006\x003\x00-\x00D\x009\x00D\x00F\x00-\x004\x00B\x004\x009\x00-\x009\x004\x003\x009\x00-\x006\x003\x004\x005\x003\x009\x006\x002\x00E\x005\x009\x008\x00(}\x00)?(?P=q56)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15643 WEB-ACTIVEX Microsoft Video 34 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q57>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C531D9FD-9685-4028-8B68-6E1232079F1E\s*}?\s*(?P=q57)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15644 WEB-ACTIVEX Microsoft Video 35 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|5|00|3|00|1|00|D|00|9|00|F|00|D|00|-|00|9|00|6|00|8|00|5|00|-|00|4|00|0|00|2|00|8|00|-|00|8|00|B|00|6|00|8|00|-|00|6|00|E|00|1|00|2|00|3|00|2|00|0|00|7|00|9|00|F|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q58>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x003\x001\x00D\x009\x00F\x00D\x00-\x009\x006\x008\x005\x00-\x004\x000\x002\x008\x00-\x008\x00B\x006\x008\x00-\x006\x00E\x001\x002\x003\x002\x000\x007\x009\x00F\x001\x00E\x00(}\x00)?(?P=q58)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15645 WEB-ACTIVEX Microsoft Video 35 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q59>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCC-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q59)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15646 WEB-ACTIVEX Microsoft Video 36 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|C|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q60>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00C\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q60)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15647 WEB-ACTIVEX Microsoft Video 36 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C5702CCD-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q61>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCD-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q61)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15648 WEB-ACTIVEX Microsoft Video 37 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|D|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q62>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00D\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q62)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15649 WEB-ACTIVEX Microsoft Video 37 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q63>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCE-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q63)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15650 WEB-ACTIVEX Microsoft Video 38 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|E|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q64>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00E\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q64)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15651 WEB-ACTIVEX Microsoft Video 38 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q65>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CCF-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q65)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15652 WEB-ACTIVEX Microsoft Video 39 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|C|00|F|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q66>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00C\x00F\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q66)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15653 WEB-ACTIVEX Microsoft Video 39 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q67>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0369B4E6-45B6-11D3-B650-00C04F79498E\s*}?\s*(?P=q67)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15654 WEB-ACTIVEX Microsoft Video 4 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|3|00|6|00|9|00|B|00|4|00|E|00|6|00|-|00|4|00|5|00|B|00|6|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q68>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x006\x009\x00B\x004\x00E\x006\x00-\x004\x005\x00B\x006\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x000\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q68)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15655 WEB-ACTIVEX Microsoft Video 4 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C5702CD0-9B79-11D3-B654-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q69>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C5702CD0-9B79-11D3-B654-00C04F79498E\s*}?\s*(?P=q69)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15656 WEB-ACTIVEX Microsoft Video 40 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|5|00|7|00|0|00|2|00|C|00|D|00|0|00|-|00|9|00|B|00|7|00|9|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|6|00|5|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q70>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x005\x007\x000\x002\x00C\x00D\x000\x00-\x009\x00B\x007\x009\x00-\x001\x001\x00D\x003\x00-\x00B\x006\x005\x004\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q70)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15657 WEB-ACTIVEX Microsoft Video 40 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q71>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7\s*}?\s*(?P=q71)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15658 WEB-ACTIVEX Microsoft Video 41 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|6|00|B|00|1|00|4|00|B|00|3|00|2|00|-|00|7|00|6|00|A|00|A|00|-|00|4|00|A|00|8|00|6|00|-|00|A|00|7|00|A|00|C|00|-|00|5|00|C|00|7|00|9|00|A|00|A|00|F|00|5|00|8|00|D|00|A|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q72>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x006\x00B\x001\x004\x00B\x003\x002\x00-\x007\x006\x00A\x00A\x00-\x004\x00A\x008\x006\x00-\x00A\x007\x00A\x00C\x00-\x005\x00C\x007\x009\x00A\x00A\x00F\x005\x008\x00D\x00A\x007\x00(}\x00)?(?P=q72)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15659 WEB-ACTIVEX Microsoft Video 41 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q73>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91\s*}?\s*(?P=q73)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15660 WEB-ACTIVEX Microsoft Video 42 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|A|00|A|00|F|00|D|00|D|00|8|00|3|00|-|00|C|00|E|00|F|00|C|00|-|00|4|00|E|00|3|00|D|00|-|00|B|00|A|00|0|00|3|00|-|00|1|00|7|00|5|00|F|00|1|00|7|00|A|00|2|00|4|00|F|00|9|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q74>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x00A\x00F\x00D\x00D\x008\x003\x00-\x00C\x00E\x00F\x00C\x00-\x004\x00E\x003\x00D\x00-\x00B\x00A\x000\x003\x00-\x001\x007\x005\x00F\x001\x007\x00A\x002\x004\x00F\x009\x001\x00(}\x00)?(?P=q74)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15661 WEB-ACTIVEX Microsoft Video 42 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q75>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q75)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15662 WEB-ACTIVEX Microsoft Video 43 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|0|00|2|00|A|00|A|00|C|00|5|00|0|00|-|00|0|00|2|00|7|00|E|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q76>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x000\x002\x00A\x00A\x00C\x005\x000\x00-\x000\x002\x007\x00E\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q76)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15663 WEB-ACTIVEX Microsoft Video 43 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q77>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E\s*}?\s*(?P=q77)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15664 WEB-ACTIVEX Microsoft Video 44 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|9|00|7|00|6|00|9|00|A|00|0|00|6|00|-|00|7|00|A|00|C|00|A|00|-|00|4|00|E|00|3|00|9|00|-|00|9|00|C|00|F|00|B|00|-|00|9|00|7|00|B|00|B|00|3|00|5|00|F|00|0|00|E|00|7|00|7|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q78>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x009\x007\x006\x009\x00A\x000\x006\x00-\x007\x00A\x00C\x00A\x00-\x004\x00E\x003\x009\x00-\x009\x00C\x00F\x00B\x00-\x009\x007\x00B\x00B\x003\x005\x00F\x000\x00E\x007\x007\x00E\x00(}\x00)?(?P=q78)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15665 WEB-ACTIVEX Microsoft Video 44 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q79>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA7C375B-66A7-4280-879D-FD459C84BB02\s*}?\s*(?P=q79)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15666 WEB-ACTIVEX Microsoft Video 45 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|A|00|7|00|C|00|3|00|7|00|5|00|B|00|-|00|6|00|6|00|A|00|7|00|-|00|4|00|2|00|8|00|0|00|-|00|8|00|7|00|9|00|D|00|-|00|F|00|D|00|4|00|5|00|9|00|C|00|8|00|4|00|B|00|B|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q80>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x007\x00C\x003\x007\x005\x00B\x00-\x006\x006\x00A\x007\x00-\x004\x002\x008\x000\x00-\x008\x007\x009\x00D\x00-\x00F\x00D\x004\x005\x009\x00C\x008\x004\x00B\x00B\x000\x002\x00(}\x00)?(?P=q80)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15667 WEB-ACTIVEX Microsoft Video 45 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"055CB2D7-2969-45CD-914B-76890722F112"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q81>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*055CB2D7-2969-45CD-914B-76890722F112\s*}?\s*(?P=q81)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15668 WEB-ACTIVEX Microsoft Video 5 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|5|00|5|00|C|00|B|00|2|00|D|00|7|00|-|00|2|00|9|00|6|00|9|00|-|00|4|00|5|00|C|00|D|00|-|00|9|00|1|00|4|00|B|00|-|00|7|00|6|00|8|00|9|00|0|00|7|00|2|00|2|00|F|00|1|00|1|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q82>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x005\x005\x00C\x00B\x002\x00D\x007\x00-\x002\x009\x006\x009\x00-\x004\x005\x00C\x00D\x00-\x009\x001\x004\x00B\x00-\x007\x006\x008\x009\x000\x007\x002\x002\x00F\x001\x001\x002\x00(}\x00)?(?P=q82)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15669 WEB-ACTIVEX Microsoft Video 5 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx 35558 attempted-user 2009-0901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0955AC62-BF2E-4CBA-A2B9-A63F772D46CF\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15670 WEB-ACTIVEX Microsoft Video 6 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx 35558 attempted-user 2009-0901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|9|00|5|00|5|00|A|00|C|00|6|00|2|00|-|00|B|00|F|00|2|00|E|00|-|00|4|00|C|00|B|00|A|00|-|00|A|00|2|00|B|00|9|00|-|00|A|00|6|00|3|00|F|00|7|00|7|00|2|00|D|00|4|00|6|00|C|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x009\x005\x005\x00A\x00C\x006\x002\x00-\x00B\x00F\x002\x00E\x00-\x004\x00C\x00B\x00A\x00-\x00A\x002\x00B\x009\x00-\x00A\x006\x003\x00F\x007\x007\x002\x00D\x004\x006\x00C\x00F\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15671 WEB-ACTIVEX Microsoft Video 6 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15672 WEB-ACTIVEX Microsoft Video 7 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q87>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980\s*}?\s*(?P=q87)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15674 WEB-ACTIVEX Microsoft Video 8 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|B|00|E|00|4|00|9|00|F|00|3|00|0|00|-|00|0|00|E|00|1|00|B|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|D|00|8|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|2|00|D|00|9|00|8|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q88>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00B\x00E\x004\x009\x00F\x003\x000\x00-\x000\x00E\x001\x00B\x00-\x001\x001\x00D\x003\x00-\x009\x00D\x008\x00E\x00-\x000\x000\x00C\x000\x004\x00F\x007\x002\x00D\x009\x008\x000\x00(}\x00)?(?P=q88)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15675 WEB-ACTIVEX Microsoft Video 8 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1C15D484-911D-11D2-B632-00C04F79498E"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q89>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*1C15D484-911D-11D2-B632-00C04F79498E\s*}?\s*(?P=q89)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15676 WEB-ACTIVEX Microsoft Video 9 ActiveX clsid access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|C|00|1|00|5|00|D|00|4|00|8|00|4|00|-|00|9|00|1|00|1|00|D|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|6|00|3|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|7|00|9|00|4|00|9|00|8|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q90>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x00C\x001\x005\x00D\x004\x008\x004\x00-\x009\x001\x001\x00D\x00-\x001\x001\x00D\x002\x00-\x00B\x006\x003\x002\x00-\x000\x000\x00C\x000\x004\x00F\x007\x009\x004\x009\x008\x00E\x00(}\x00)?(?P=q90)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15677 WEB-ACTIVEX Microsoft Video 9 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2004-0540 udp $EXTERNAL_NET any -> $HOME_NET 88 flow:to_server; content:"0|17 A0 03 02 01 02 A1 10|0|0E 1B 06|krbtgt|1B 04|A123"; content:"|0F|n|FB C0|"; distance:0; metadata:policy security-ips drop, service kerberos; classtype:attempted-user; 15701 SPECIFIC-THREATS Microsoft Windows 2000 domain authentication bypass attempt 35396 attempted-dos 2009-1761 tcp $EXTERNAL_NET any -> $HOME_NET 6503 flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:19; dce_stub_data; byte_test:4,=,1,0,relative,dce; byte_test:4,>,64000,8,relative,dce; byte_test:4,=,0,12,relative,dce; byte_test:4,>,64000,16,relative,dce; content:"|05 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-dos; 15702 NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt 35396 attempted-dos 2009-1761 tcp $EXTERNAL_NET any -> $HOME_NET 6503 flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:59; dce_stub_data; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:8; content:"|05 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-dos; 15710 NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x3B null strings attempt attempted-user 2000-0834 tcp any 23 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15847, policy balanced-ips drop, policy security-ips drop, service telnet; 15847 NETBIOS Telnet-based NTLM replay attack attempt www.microsoft.com/technet/security/bulletin/MS10-012.mspx attempted-admin 2009-1923 tcp $EXTERNAL_NET any -> $HOME_NET 42 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15848, service netbios-ns, policy balanced-ips drop, policy security-ips drop; 15848 EXPLOIT WINS replication request memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-039.mspx attempted-admin 2009-1924 tcp $EXTERNAL_NET any -> $HOME_NET 42 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15849, service netbios-ns, policy balanced-ips drop, policy security-ips drop; 15849 EXPLOIT WINS replication inform2 request memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-039.mspx attempted-dos 2009-1536 tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any gid:3; classtype:attempted-dos; detection_filter:track by_dst, count 12, seconds 60; metadata: engine shared, soid 3|15851, service http, policy balanced-ips alert, policy security-ips alert; 15851 DOS Microsoft ASP.NET bad request denial of service attempt www.microsoft.com/technet/security/bulletin/MS09-036.mspx 35970 attempted-user 2009-1546 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15854, service http, policy balanced-ips drop, policy security-ips drop; 15854 WEB-CLIENT Microsoft Windows AVIFile media file processing memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-038.mspx attempted-user 2009-1546 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15857, service http, policy balanced-ips drop, policy security-ips drop; 15857 WEB-CLIENT Microsoft Windows AVIFile media file invalid header length www.microsoft.com/technet/security/bulletin/MS09-038.mspx protocol-command-decode 2009-1544 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15860, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 15860 NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrGetJoinInformation attempt www.microsoft.com/technet/security/bulletin/MS09-041.mspx attempted-user 2009-1929 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15861, service http, policy balanced-ips drop, policy security-ips alert; 15861 WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS09-044.mspx attempted-user 2009-1929 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15863, service http, policy balanced-ips drop, policy security-ips alert; 15863 WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call access www.microsoft.com/technet/security/bulletin/MS09-044.mspx attempted-user 2009-2627 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3895DD35-7573-11D2-8FED-00606730D3AA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Run)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3895DD35-7573-11D2-8FED-00606730D3AA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Run))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15878 WEB-ACTIVEX AcerCtrls.APlunch ActiveX clsid access www.kb.cert.org/vuls/id/485961 attempted-user 2009-2627 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|8|00|9|00|5|00|D|00|D|00|3|00|5|00|-|00|7|00|5|00|7|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|F|00|E|00|D|00|-|00|0|00|0|00|6|00|0|00|6|00|7|00|3|00|0|00|D|00|3|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x008\x009\x005\x00D\x00D\x003\x005\x00-\x007\x005\x007\x003\x00-\x001\x001\x00D\x002\x00-\x008\x00F\x00E\x00D\x00-\x000\x000\x006\x000\x006\x007\x003\x000\x00D\x003\x00A\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15879 WEB-ACTIVEX AcerCtrls.APlunch ActiveX clsid unicode access www.kb.cert.org/vuls/id/485961 attempted-admin 2005-1219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|11 11 12 12 12 0B 0D 14 15 14 12 15 10 12 12 11 01 03 03 03 04 03 04 08 04 04 08 11 0B 0A 0B 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 FF C4 01 A2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05|"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 15894 SPECIFIC-THREATS Microsoft Color Management Module remote code execution attempt www.microsoft.com/technet/security/bulletin/ms05-016.mspx 35558 attempted-user 2009-0901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BDATuner.MPEG2TuneRequest"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22BDATuner\.MPEG2TuneRequest(\.\d)?\x22|\x27BDATuner\.MPEG2TuneRequest(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BDATuner\.MPEG2TuneRequest(\.\d)?\x22|\x27BDATuner\.MPEG2TuneRequest(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15904 WEB-ACTIVEX Microsoft Video 6 ActiveX function call access www.microsoft.com/technet/security/advisory/972890.mspx 35558 attempted-user 2009-0901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|D|00|A|00|T|00|u|00|n|00|e|00|r|00|.|00|M|00|P|00|E|00|G|00|2|00|T|00|u|00|n|00|e|00|R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)B\x00D\x00A\x00T\x00u\x00n\x00e\x00r\x00.\x00M\x00P\x00E\x00G\x002\x00T\x00u\x00n\x00e\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)B\x00D\x00A\x00T\x00u\x00n\x00e\x00r\x00.\x00M\x00P\x00E\x00G\x002\x00T\x00u\x00n\x00e\x00R\x00e\x00q\x00u\x00e\x00s\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15905 WEB-ACTIVEX Microsoft Video 6 ActiveX function call unicode access www.microsoft.com/technet/security/advisory/972890.mspx attempted-user 2009-2499 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.mp3; metadata: engine shared, soid 3|15920, service http, policy balanced-ips drop, policy security-ips drop; 15920 WEB-CLIENT Microsoft mp3 malformed APIC header RCE attempt www.microsoft.com/technet/security/bulletin/MS09-047.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".wma"; nocase; http_uri; flowbits:set,http.wma; flowbits:noalert; metadata:service http; classtype:misc-activity; 15921 WEB-CLIENT Microsoft media format file download request 1474 attempted-user 2009-2519 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|D|00|3|00|6|00|0|00|2|00|0|00|1|00|-|00|F|00|F|00|F|00|5|00|-|00|1|00|1|00|d|00|1|00|-|00|8|00|D|00|0|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|5|00|9|00|B|00|C|00|0|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00D\x003\x006\x000\x002\x000\x001\x00-\x00F\x00F\x00F\x005\x00-\x001\x001\x00d\x001\x00-\x008\x00D\x000\x003\x00-\x000\x000\x00A\x000\x00C\x009\x005\x009\x00B\x00C\x000\x00A\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15923 WEB-ACTIVEX DHTML Editing ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS99-011.mspx 1474 attempted-user 2009-2519 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DHTMLSafe.DHTMLSafe"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22DHTMLSafe\.DHTMLSafe(\.\d)?\x22|\x27DHTMLSafe\.DHTMLSafe(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LoadURL\s*|.*(?P=v)\s*\.\s*LoadURL\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DHTMLSafe\.DHTMLSafe(\.\d)?\x22|\x27DHTMLSafe\.DHTMLSafe(\.\d)?\x27)\s*\)(\s*\.\s*LoadURL\s*|.*(?P=n)\s*\.\s*LoadURL\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15924 WEB-ACTIVEX DHTML Editing ActiveX function call access www.microsoft.com/technet/security/bulletin/MS99-011.mspx 1474 attempted-user 2009-2519 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|H|00|T|00|M|00|L|00|S|00|a|00|f|00|e|00|.|00|D|00|H|00|T|00|M|00|L|00|S|00|a|00|f|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00.\x00D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00.\x00D\x00H\x00T\x00M\x00L\x00S\x00a\x00f\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15925 WEB-ACTIVEX DHTML Editing ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS99-011.mspx 36234 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15926 WEB-ACTIVEX PPStream PPSMediaList ActiveX clsid access 36234 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|2|00|2|00|D|00|E|00|7|00|4|00|2|00|-|00|0|00|4|00|C|00|D|00|-|00|4|00|B|00|5|00|C|00|-|00|A|00|8|00|A|00|3|00|-|00|8|00|2|00|A|00|B|00|3|00|D|00|A|00|E|00|C|00|4|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x002\x002\x00D\x00E\x007\x004\x002\x00-\x000\x004\x00C\x00D\x00-\x004\x00B\x005\x00C\x00-\x00A\x008\x00A\x003\x00-\x008\x002\x00A\x00B\x003\x00D\x00A\x00E\x00C\x004\x003\x00D\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15927 WEB-ACTIVEX PPStream PPSMediaList ActiveX clsid unicode access 36234 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PPSMEDIALIST.PPSMediaListCtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x22|\x27PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x22|\x27PPSMEDIALIST\.PPSMediaListCtrl(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15928 WEB-ACTIVEX PPStream PPSMediaList ActiveX function call access 36234 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|P|00|S|00|M|00|E|00|D|00|I|00|A|00|L|00|I|00|S|00|T|00|.|00|P|00|P|00|S|00|M|00|e|00|d|00|i|00|a|00|L|00|i|00|s|00|t|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)P\x00P\x00S\x00M\x00E\x00D\x00I\x00A\x00L\x00I\x00S\x00T\x00.\x00P\x00P\x00S\x00M\x00e\x00d\x00i\x00a\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)P\x00P\x00S\x00M\x00E\x00D\x00I\x00A\x00L\x00I\x00S\x00T\x00.\x00P\x00P\x00S\x00M\x00e\x00d\x00i\x00a\x00L\x00i\x00s\x00t\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15929 WEB-ACTIVEX PPStream PPSMediaList ActiveX function call unicode access attempted-dos 2009-3103 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445] flow:to_server,established; content:"|FF|SMBr|00 00 00|"; isdataat:6,relative; content:!"|00 00|"; within:2; distance:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-dos; 15930 NETBIOS Microsoft Windows SMB malformed process ID high field remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-050.mspx 24796 attempted-dos 2007-3028 tcp $EXTERNAL_NET any -> $HOME_NET [389,3268] flow:to_server,established; content:"|04 00 0A 01 00 0A 01 03 02 01|d|02 01|<|01 01 00 A1 0B FF|bjectclass0|84 00 00 00 17 04 15|supportedCapabilities"; metadata:policy balanced-ips drop, policy security-ips drop, service ldap; classtype:attempted-dos; 15944 SPECIFIC-THREATS Microsoft Windows Active Directory crafted LDAP request denial of service attempt 25287 attempted-user 2007-3033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,rss.download; content:"&lt|3B|"; fast_pattern; nocase; content:"<title>"; nocase; pcre:"/\x3ctitle\x3e[^\x3c]*\x26lt\x3b[^\x3c]*(>|\x26gt\x3b)/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15946 WEB-CLIENT Microsoft Windows Vista Feed Headlines Gagdet code execution attempt attempted-dos 2005-1665 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|15959, service http, policy balanced-ips drop, policy security-ips drop; 15959 DOS Microsoft ASP.NET viewstate DoS attempt osvdb.org/show/osvdb/16195 10213 attempted-user 2004-0214 tcp $EXTERNAL_NET [139,445] -> $HOME_NET any flow:to_client,established; content:"|00 00 00 00 F5 01 00 00 00 00 00 00 F5 01 00 00|A|00|A|00|A|00|A|00|A|00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-user; 15965 SPECIFIC-THREATS Microsoft Explorer long share name buffer overflow attempt 11342 attempted-user 2004-0847 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"GET /fsc/secured|5C|fsc.aspx HTTP/1.1"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15985 SPECIFIC-THREATS Microsoft ASP.NET canonicalization exploit attempt 10113 attempted-admin 2004-0119 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Authorization|3A| Negotiate YIIAEwYGKwYBBQUCoAkwB6EFIwMDAQc=|0D 0A|"; http_header; metadata:policy security-ips drop, service http; classtype:attempted-admin; 15996 SPECIFIC-THREATS Microsoft Negotiate SSP buffer overflow attempt 18920 attempted-recon 2006-1300 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"app|5F|code"; nocase; http_uri; pcre:"/^\w+\s+[^\s]*app\x5fcode(\x255c|\x5c)/i"; metadata:policy security-ips drop, service http; classtype:attempted-recon; 16048 WEB-CLIENT Microsoft ASP.NET application folder info disclosure attempt 22702 attempted-user 2007-1754 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pub; content:"|01 00 00 00 FF FF FF 7F 01 00 00 80 01 00 00 00 10 0E FE 7F 01 00 00 00 58 00 7C 96 18 CB 7C 96|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16051 SPECIFIC-THREATS Microsoft Publisher 2007 conversion library code execution attempt 27579 attempted-user 2008-0625 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"buf = buf + unescape|28 22|%u"; nocase; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16068 SPECIFIC-THREATS Yahoo Music Jukebox ActiveX exploit 16194 attempted-user 2006-0010 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"SPP_P|1D CD|P|3B D5 AF AF AF AF 19|6|A5|U4cz{|B1 04 1D E7 EF|jiI|8A|T|D1|s|FD 0C F7|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 16089 SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt 20915 attempted-user 2006-5745 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"var xmlhttp=new ActiveXObject|28 22|Msxml2.XMLHTTP.4.0|22 29|"; content:"try{ xmlhttp.open|28 22 5C|0t|22|, |22|test.html|22 29 3B| } catch|28|e|29| {}|3B|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16090 SPECIFIC-THREATS Microsoft Core XML core services XMLHTTP control open method code execution attempt misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"0&|B2|u"; within:4; flowbits:set,http.asf; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; 16143 WEB-CLIENT Microsoft asf file download attempted-dos 2009-2524 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16167, policy balanced-ips drop, policy security-ips drop; 16167 DOS Microsoft LSASS integer wrap denial of service attempt www.microsoft.com/technet/security/Bulletin/MS09-059.mspx attempted-admin 2009-2526 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16168, policy balanced-ips drop, policy security-ips drop; 16168 DOS Microsoft SMBv2 integer overflow denial of service attempt www.microsoft.com/technet/security/Bulletin/MS09-050.mspx attempted-user 2009-2497 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,exe.download; metadata: engine shared, soid 3|16179, service http, policy balanced-ips drop, policy security-ips drop; 16179 EXPLOIT Microsoft .NET MSIL CLR interface multiple instantiation attempt www.microsoft.com/technet/security/bulletin/MS09-061.mspx attempted-user 2009-0090 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,exe.download; metadata: engine shared, soid 3|16182, service http, policy balanced-ips drop, policy security-ips drop; 16182 EXPLOIT Microsoft .NET MSIL stack corruption attempt www.microsoft.com/technet/security/bulletin/MS09-061.mspx attempted-user 2009-0091 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,exe.download; metadata: engine shared, soid 3|16183, service http, policy balanced-ips drop, policy security-ips drop; 16183 WEB-CLIENT Microsoft .NET MSIL CombineImpl suspicious usage www.microsoft.com/technet/security/bulletin/MS09-061.mspx attempted-user 2009-2502 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16184, service http, policy balanced-ips drop, policy security-ips drop; 16184 EXPLOIT Microsoft GDI+ TIFF file parsing heap overflow attempt www.microsoft.com/technet/security/bulletin/MS09-062.mspx attempted-user 2009-2503 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16185, service http, policy balanced-ips drop, policy security-ips drop; 16185 EXPLOIT Microsoft GDI+ compressed TIFF file parsing remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-062.mspx attempted-user 2009-3126 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16186, service http, policy balanced-ips drop, policy security-ips drop; 16186 WEB-CLIENT Microsoft GDI+ interlaced PNG file parsing heap overflow attempt www.microsoft.com/technet/security/bulletin/MS09-062.mspx attempted-user 2006-0022 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,ppt.download; metadata: engine shared, soid 3|16188, service http, policy balanced-ips drop, policy security-ips drop; 16188 WEB-CLIENT Microsoft Powerpoint bad text header txttype attempt www.microsoft.com/technet/security/bulletin/MS06-028.mspx attempted-dos 2009-1928 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16237, service ldap, policy security-ips drop; 16237 DOS Microsoft Active Directory NTDSA stack space exhaustion attempt www.microsoft.com/technet/security/bulletin/MS09-066.mspx attempted-admin 2009-2523 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16238, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 16238 NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt www.microsoft.com/technet/security/bulletin/MS09-064.mspx attempted-admin 2009-2523 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16239, service netbios-dgm, policy balanced-ips drop, policy security-ips drop; 16239 NETBIOS DCERPC NCADG-IP-UDP llsrpc2 LlsrLicenseRequestW overflow attempt www.microsoft.com/technet/security/bulletin/MS09-064.mspx 35419 attempted-admin 2009-2727 tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 00|"; depth:32; offset:16; isdataat:256,relative; metadata:policy security-ips drop, service sunrpc; classtype:attempted-admin; 16285 RPC AIX ttdbserv function 15 buffer overflow attempt www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4699&myns=paix52&mync=E 37092 attempted-user 2009-3033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B44D252D-98FC-4D5C-948C-BE868392A004\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BrowseAndSaveFile|RunCMD)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B44D252D-98FC-4D5C-948C-BE868392A004\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(BrowseAndSaveFile|RunCMD))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16305 WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX clsid access 37092 attempted-user 2009-3033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|4|00|4|00|D|00|2|00|5|00|2|00|D|00|-|00|9|00|8|00|F|00|C|00|-|00|4|00|D|00|5|00|C|00|-|00|9|00|4|00|8|00|C|00|-|00|B|00|E|00|8|00|6|00|8|00|3|00|9|00|2|00|A|00|0|00|0|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x004\x004\x00D\x002\x005\x002\x00D\x00-\x009\x008\x00F\x00C\x00-\x004\x00D\x005\x00C\x00-\x009\x004\x008\x00C\x00-\x00B\x00E\x008\x006\x008\x003\x009\x002\x00A\x000\x000\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16306 WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX clsid unicode access 37092 attempted-user 2009-3033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Altiris.AeXNSConsoleUtilities"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSConsoleUtilities(\.\d)?\x22|\x27Altiris\.AeXNSConsoleUtilities(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(BrowseAndSaveFile|RunCMD)\s*|.*(?P=v)\s*\.\s*(BrowseAndSaveFile|RunCMD)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSConsoleUtilities(\.\d)?\x22|\x27Altiris\.AeXNSConsoleUtilities(\.\d)?\x27)\s*\)(\s*\.\s*(BrowseAndSaveFile|RunCMD)\s*|.*(?P=n)\s*\.\s*(BrowseAndSaveFile|RunCMD)\s*)\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16307 WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX function call access 37092 attempted-user 2009-3033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|l|00|t|00|i|00|r|00|i|00|s|00|.|00|A|00|e|00|X|00|N|00|S|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00|U|00|t|00|i|00|l|00|i|00|t|00|i|00|e|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00U\x00t\x00i\x00l\x00i\x00t\x00i\x00e\x00s\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00U\x00t\x00i\x00l\x00i\x00t\x00i\x00e\x00s\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16308 WEB-ACTIVEX Symantec Altiris Deployment Solution ActiveX function call unicode access attempted-user 2009-2503 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16327, service http, policy balanced-ips drop, policy security-ips drop; 16327 EXPLOIT Microsoft Windows GDIplus TIFF RLE compressed data buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-062.mspx attempted-user 2009-3677 udp $EXTERNAL_NET any -> $HOME_NET 1812 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16329, service radius, policy security-ips drop; 16329 EXPLOIT Microsoft Internet Authentication Service EAP-MSCHAPv2 authentication bypass attempt www.microsoft.com/technet/security/bulletin/MS09-071.mspx 7517 attempted-user 2003-0228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"execCommand|28 22|copy|22 29 3B|"; nocase; content:"2D360201-FFF5-11d1-8D03-00A0C959BC0A"; distance:0; metadata:policy security-ips drop; classtype:attempted-user; 16340 SPECIFIC-THREATS DHTML Editing ActiveX clsid access 11595 www.microsoft.com/technet/security/bulletin/MS03-017.mspx 35970 attempted-user 2009-1546 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16342, service http, policy balanced-ips drop, policy security-ips drop; 16342 WEB-CLIENT Microsoft Windows AVIFile truncated media file processing memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-038.mspx attempted-admin 2010-0018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16366, service http, policy security-ips drop; 16366 EXPLOIT Microsoft embedded OpenType font engine LZX decompression buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-001.mspx 35256 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Accept)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Accept))/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 16379 WEB-ACTIVEX SAP AG SAPgui sapirrfc ActiveX clsid access service.sap.com/sap/support/notes/1286637 35256 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|7|00|F|00|1|00|2|00|F|00|8|00|A|00|-|00|F|00|1|00|1|00|7|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|C|00|F|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|D|00|9|00|D|00|8|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x007\x00F\x001\x002\x00F\x008\x00A\x00-\x00F\x001\x001\x007\x00-\x001\x001\x00D\x000\x00-\x008\x00C\x00F\x001\x00-\x000\x000\x00A\x000\x00C\x009\x001\x00D\x009\x00D\x008\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 16380 WEB-ACTIVEX SAP AG SAPgui sapirrfc ActiveX clsid unicode access service.sap.com/sap/support/notes/1286637 attempted-admin 2010-0020 tcp $EXTERNAL_NET any -> $HOME_NET 445 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16395, policy balanced-ips drop, policy security-ips drop; 16395 NETBIOS SMB COPY command oversized pathname attempt www.microsoft.com/technet/security/bulletin/MS10-012.mspx attempted-dos 2010-0021 tcp $EXTERNAL_NET any -> $HOME_NET 445 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16396, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 16396 NETBIOS SMB server srvnet.sys driver race condition attempt www.microsoft.com/technet/security/bulletin/MS10-012.mspx attempted-user 2010-0029 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16409, service http, policy balanced-ips alert, policy security-ips alert; 16409 WEB-CLIENT Microsoft PowerPoint improper filename remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-004.mspx attempted-user 2010-0030 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|16410, service http, policy balanced-ips drop, policy security-ips drop; 16410 WEB-CLIENT Microsoft PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt www.microsoft.com/technet/security/bulletin/MS10-004.mspx attempted-user 2010-0031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|16411, service http, policy balanced-ips drop, policy security-ips drop; 16411 WEB-CLIENT Microsoft PowerPoint out of bounds value remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-004.mspx attempted-user 2010-0033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|16412, service http, policy balanced-ips drop, policy security-ips drop; 16412 WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-004.mspx attempted-user 2010-0250 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16415, service http, policy balanced-ips drop, policy security-ips drop; 16415 WEB-CLIENT Microsoft DirectShow memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-013.mspx attempted-admin 2010-0016 tcp $EXTERNAL_NET 445 -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16417, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 16417 NETBIOS SMB Negotiate Protocol Response overflow attempt www.microsoft.com/technet/security/bulletin/MS10-006.mspx attempted-user 2010-0252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16419, service http, policy security-ips drop; 16419 WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS10-008.mspx attempted-user 2010-0032 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|16421, service http, policy security-ips drop; 16421 EXPLOIT Microsoft PowerPoint out of bounds value remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-004.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16424 WEB-ACTIVEX Windows Script Host Shell Object ActiveX clsid access www.exploit-db.com/exploits/11457 30407 attempted-user 2008-3364 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5EFE8CB1-D095-11D1-88FC-0080C859833B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EFE8CB1-D095-11D1-88FC-0080C859833B\s*}?\s*(?P=q1)(\s|>)/siO"; content:"<PARAM"; nocase; content:"VALUE"; distance:0; nocase; pcre:"/<PARAM[^>]+VALUE\s*=\s*(?P<q2>\x22|\x27|)[^>]{200}(?P=q2)/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16432 WEB-ACTIVEX Trend Micro Web Deployment ActiveX clsid access attempted-user 2010-0265 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.mswmm; flowbits:isset,http.msproducer; flowbits:isset,http.oless.v3; flowbits:isset,http.oless.v4; metadata: engine shared, soid 3|16472, service http, policy balanced-ips drop, policy security-ips drop; 16472 WEB-CLIENT Microsoft Windows Movie Maker project file heap buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-016.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".mswmm"; nocase; http_uri; flowbits:set,http.mswmm; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 16473 WEB-CLIENT Microsoft Windows Movie Maker project file download request misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,http.oless.v3; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 16474 WEB-CLIENT Microsoft Compound File Binary v3 file download misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,http.oless.v4; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 16475 WEB-CLIENT Microsoft Compound File Binary v4 file download misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".MSProducer"; nocase; http_uri; flowbits:set,http.msproducer; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 16476 WEB-CLIENT Microsoft .MSProducer file download request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".MSProducerZ"; nocase; http_uri; flowbits:set,http.msproducer; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 16477 WEB-CLIENT Microsoft .MSProducerZ file download request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".MSProducerBF"; nocase; http_uri; flowbits:set,http.msproducer; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 16478 WEB-CLIENT Microsoft .MSProducerBF file download request attempted-user 2010-0489 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16505, service http, policy balanced-ips drop, policy security-ips drop; 16505 EXPLOIT Microsoft IE HTML parsing memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-user 2010-0805 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16510, service http, policy balanced-ips drop, policy security-ips drop; 16510 WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by CLSID www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-user 2010-0805 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16511, service http, policy balanced-ips drop, policy security-ips drop; 16511 WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by ProgID www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-admin 2010-0476 tcp $EXTERNAL_NET 445 -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16532, service netbios-ssn, policy security-ips drop; 16532 NETBIOS SMB client TRANS response ring0 remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-020.mspx attempted-user 2010-0254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,visio.request; metadata: engine shared, soid 3|16535, service http, policy balanced-ips drop, policy security-ips drop; 16535 EXPLOIT Microsoft Viso improper attribute code execution attempt www.microsoft.com/technet/security/bulletin/MS10-028.mspx attempted-user 2010-0256 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,visio.request; metadata: engine shared, soid 3|16536, service http, policy balanced-ips drop, policy security-ips drop; 16536 EXPLOIT Microsoft Viso off-by-one in array index code execution attempt www.microsoft.com/technet/security/bulletin/MS10-028.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:66,relative; content:"|06 00|"; within:2; distance:64; flowbits:set,smb.query_sec_desc; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:misc-activity; 16538 NETBIOS NT QUERY SECURITY DESC flowbit attempted-admin 2010-0269 tcp $EXTERNAL_NET 445 -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,smb.query_sec_desc; flowbits:unset,smb.query_sec_desc; metadata: engine shared, soid 3|16539, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 16539 NETBIOS SMBv1 BytesNeeded ring0 buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-020.mspx attempted-user 2010-0479 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:set,http.pub; flowbits:noalert; metadata: engine shared, soid 3|16542, service http, policy security-ips drop; 16542 EXPLOIT Microsoft Publisher 2007 and earlier stack buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-023.mspx attempted-user 2010-0805 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16559, service http, policy balanced-ips drop, policy security-ips drop; 16559 WEB-ACTIVEX Microsoft Tabular Control ActiveX overflow by CLSID / param tag www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-user 2010-0817 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16560, service http, policy balanced-ips drop, policy security-ips drop; 16560 WEB-MISC Microsoft Sharepoint XSS attempt www.microsoft.com/technet/security/bulletin/MS10-039.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38681fbd-d4cc-4a59-a527-b3136db711d3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(TransferFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*38681fbd-d4cc-4a59-a527-b3136db711d3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(TransferFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16566 WEB-ACTIVEX Tumbleweed SecureTransport ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|8|00|6|00|8|00|1|00|f|00|b|00|d|00|-|00|d|00|4|00|c|00|c|00|-|00|4|00|a|00|5|00|9|00|-|00|a|00|5|00|2|00|7|00|-|00|b|00|3|00|1|00|3|00|6|00|d|00|b|00|7|00|1|00|1|00|d|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x008\x006\x008\x001\x00f\x00b\x00d\x00-\x00d\x004\x00c\x00c\x00-\x004\x00a\x005\x009\x00-\x00a\x005\x002\x007\x00-\x00b\x003\x001\x003\x006\x00d\x00b\x007\x001\x001\x00d\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16567 WEB-ACTIVEX Tumbleweed SecureTransport ActiveX clsid unicode access 25903 attempted-user 2007-5217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16568 WEB-ACTIVEX Altnet Download Manager ADM4 ActiveX clsid access 24772 attempted-user 2007-3605 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2137278D-EF5C-11D3-96CE-0004AC965257"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2137278D-EF5C-11D3-96CE-0004AC965257\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(PrepareToPostHTML)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2137278D-EF5C-11D3-96CE-0004AC965257\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(PrepareToPostHTML))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16569 WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX clsid access 24772 attempted-user 2007-3605 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|1|00|3|00|7|00|2|00|7|00|8|00|D|00|-|00|E|00|F|00|5|00|C|00|-|00|1|00|1|00|D|00|3|00|-|00|9|00|6|00|C|00|E|00|-|00|0|00|0|00|0|00|4|00|A|00|C|00|9|00|6|00|5|00|2|00|5|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x001\x003\x007\x002\x007\x008\x00D\x00-\x00E\x00F\x005\x00C\x00-\x001\x001\x00D\x003\x00-\x009\x006\x00C\x00E\x00-\x000\x000\x000\x004\x00A\x00C\x009\x006\x005\x002\x005\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16570 WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX clsid unicode access 24772 attempted-user 2007-3605 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"kweditcontrol.kwedit"; fast_pattern:only; nocase; content:"PrepareToPostHTML"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22kweditcontrol\.kwedit(\.\d)?\x22|\x27kweditcontrol\.kwedit(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22kweditcontrol\.kwedit(\.\d)?\x22|\x27kweditcontrol\.kwedit(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16571 WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX function call access 24772 attempted-user 2007-3605 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"k|00|w|00|e|00|d|00|i|00|t|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|.|00|k|00|w|00|e|00|d|00|i|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)k\x00w\x00e\x00d\x00i\x00t\x00c\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00k\x00w\x00e\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)k\x00w\x00e\x00d\x00i\x00t\x00c\x00o\x00n\x00t\x00r\x00o\x00l\x00.\x00k\x00w\x00e\x00d\x00i\x00t\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16572 WEB-ACTIVEX EnjoySAP kweditcontrol ActiveX function call unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"unescape|28|"; nocase; pcre:"/new\s*ActiveXObject\(\s*unescape\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16573 WEB-ACTIVEX obfuscated ActiveX object instantiation via unescape msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ActiveXObject|28|"; nocase; content:"String.fromCharCode|28|"; fast_pattern; nocase; pcre:"/new\s*ActiveXObject\(\s*String.fromCharCode\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16574 WEB-ACTIVEX obfuscated ActiveX object instantiation via fromCharCode msdn.microsoft.com/en-us/library/7sw4ddf8(VS.85).aspx 24596 attempted-user 2007-3435 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid='clsid|3A|C26D9CA8-6747-11D5-AD4B-C01857C10000'"; content:"String"; distance:0; content:"unescape"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16575 SPECIFIC-THREATS RKD Software BarCode ActiveX buffer overflow attempt attempted-dos 2010-2552 tcp $EXTERNAL_NET any -> $HOME_NET 445 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16577, service netbios-ssn, policy security-ips drop; 16577 NETBIOS Microsoft Windows SMBv2 compound request DoS attempt www.microsoft.com/technet/security/bulletin/MS10-054.mspx 33469 attempted-user 2007-0018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<object classid='clsid|3A|77829F14-D911-40FF-A2F0-D11DB8D6D0BC'"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 16580 SPECIFIC-THREATS NCTAudioFile2 ActiveX clsid access via object tag 31604 attempted-user 2008-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ActiveXObject|28|'LPViewer.LPViewer.1'|29|"; content:"unescape"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16588 SPECIFIC-THREATS iseemedia LPViewer ActiveX exploit attempt 31604 attempted-user 2008-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"url"; content:"toolbar"; distance:0; content:"enableZoomPastMax"; distance:0; content:"classid=|22|clsid|3A|{3F0EECCE-E138-11D1-8712-0060083D83F5}"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16589 SPECIFIC-THREATS iseemedia LPViewer ActiveX buffer overflows attempt 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|23| CLSID|3A|68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16590 SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 1 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid='clsid|3A|68AC0D5F-0424-11D5-822F-00C04F6BA8D9'"; content:"unescape|28 22|%"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16591 SPECIFIC-THREATS EasyMail Objects ActiveX exploit attempt - 2 attempted-user 2010-0815 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|16593, service http, policy balanced-ips drop, policy security-ips drop; 16593 WEB-CLIENT Microsoft VBE6.dll stack corruption attempt www.microsoft.com/technet/security/bulletin/MS10-031.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".CompleteInstallation|28|"; content:"String.fromCharCode"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16599 SPECIFIC-THREATS AtHocGov IWSAlerts ActiveX control buffer overflow attempt www.fortiguard.com/encyclopedia/vulnerability/athocgov.iwsalerts.activex.buffer.overflow.html 23239 attempted-user 2007-1819 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid=|27|clsid|3A|98C53984-8BF8-4D11-9B1C-C324FCA9CADE|27|"; fast_pattern:only; content:"unescape"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16608 SPECIFIC-THREATS HP Mercury Quality Center SPIDERLib ActiveX buffer overflow attempt h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00901872 34228 attempted-user 2009-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:".GetXMLValue"; fast_pattern; content:"String.fromCharCode"; pcre:"/String\x2EfromCharCode\s*\x28(?=[^\x29]*?0x\d+)[^\x29]*?\d{2}/"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16610 SPECIFIC-THREATS IBM Access Support ActiveX GetXMLValue method buffer overflow attempt 40725 attempted-user 2010-1885 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"hcp|3A 2F 2F|"; nocase; content:"script"; distance:0; nocase; content:"defer"; distance:0; nocase; pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16665 WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt www.microsoft.com/technet/security/bulletin/MS10-042.mspx 26904 attempted-user 2007-6016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"clsid|3A|22ACD16F-99EB-11D2-9BB3-00400561D975"; fast_pattern:only; nocase; content:"unescape|28|"; content:"|25|u"; within:5; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16672 SPECIFIC-THREATS Symantec Backup Exec ActiveX control buffer overflow attempt 28268 attempted-user 2008-1472 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid|3D 22|clsid|3A|BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3|22|"; content:"unescape|28 22 25|u"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16675 SPECIFIC-THREATS CA BrightStor ListCtrl ActiveX exploit attempt 34250 misc-activity 2009-1217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|01 00 00 00|"; content:"|20|EMF"; within:4; distance:36; content:"|45 4D 46 2B 08 40|"; pcre:"/\x45\x4d\x46\x2b\x08\x40.(\x06|\x86).{28}([\xf4-\xff]\xff\xff(\xff|\x7f)|[\x00-\x06]\x00\x00\x80)/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 16679 WEB-MISC Microsoft Windows GDIplus integer overflow attempt 17712 attempted-user 2006-2086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; content:"ProductName"; nocase; pcre:"/\<param\s*[^\>]*?name\s*=\s*(?P<q>\x22|\x27|)?ProductName(?P=q)[^\>]+?value\s*=\s*(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\s\>]{500})/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16687 WEB-ACTIVEX Juniper Networks SSL-VPN Client JuniperSetup ActiveX control buffer overflow attempt 34205 misc-attack 2009-1072 udp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|"; within:2; distance:1; byte_test:1,&,0x20,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:misc-attack; 16699 RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt 34205 misc-attack 2009-1072 tcp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|"; within:2; distance:1; byte_test:1,&,0x20,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:misc-attack; 16700 RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt 34205 misc-attack 2009-1072 udp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:misc-attack; 16701 RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt 34205 misc-attack 2009-1072 tcp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:misc-attack; 16702 RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt 37133 attempted-user 2009-4225 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6|27 3E 3C 2F|object|3E|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16704 SPECIFIC-THREATS CA eTrust PestPatrol 'ppctl.dll' ActiveX Initialize method overflow attempt 35083 attempted-admin 2008-3869 udp $EXTERNAL_NET any -> $HOME_NET [1024:] flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|"; distance:0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|"; within:4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|"; within:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:attempted-admin; 16705 RPC Sun Solaris sadmind UDP array size buffer overflow attempt 35083 attempted-admin 2008-3869 tcp $EXTERNAL_NET any -> $HOME_NET [1024:] flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|"; distance:0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|"; within:4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|"; within:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:attempted-admin; 16706 RPC Sun Solaris sadmind TCP array size buffer overflow attempt 24328 attempted-user 2007-2919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"classid|3D 27|clsid|3A|BA83FD38-CE14-4DA3-BEF5-96050D55F78A|27|"; fast_pattern:only; nocase; content:"unescape|28 27 25|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16711 SPECIFIC-THREATS E-Book Systems FlipViewer FlipViewerX.dll ActiveX multiple buffer overflow attempt 30826 attempted-user 2007-1682 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"ActiveXObject|28 27|SoftArtisans|2E|FileManager|2E|1|27 29 3B|"; content:"unescape|28 27 25|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16714 SPECIFIC-THREATS SoftArtisans XFile FileManager ActiveX Control buffer overflow attempt support.softartisans.com/Support-114.aspx 33053 attempted-user 2008-6898 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"clsid|3A|0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; content:"unescape|28|"; within:300; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16715 SPECIFIC-THREATS SaschArt SasCam Webcam Server ActiveX control exploit attempt 40884 attempted-admin 2010-2063 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16728, service netbios-ssn, policy security-ips drop; 16728 NETBIOS Samba SMB1 chain_reply function memory corruption attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"ActiveXObject|28 27|Enginecom.imagineLANEngine.1|27 29 3B|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16729 SPECIFIC-THREATS McAfee Remediation client ActiveX control buffer overflow attempt www.fortiguard.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html 28820 attempted-user 2008-1898 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; fast_pattern:only; nocase; file_data; content:"WksPictureInterface"; pcre:"/var num \x3D (-1|168430090)\x3B/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16740 SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control code execution attempt 28820 attempted-user 2008-1898 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6|27 3E 3C 2F|object|3E|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16741 SPECIFIC-THREATS Microsoft Works WkImgSrv.dll ActiveX control exploit attempt 31987 attempted-user 2008-4922 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"clsid:4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; fast_pattern:only; nocase; content:"unescape|28|"; nocase; content:"%u"; within:5; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16745 SPECIFIC-THREATS DjVu ActiveX control ImageURL property overflow attempt 34228 attempted-user 2009-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"74FFE28D-2378-11D5-990C-006094235084"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetXMLValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*74FFE28D-2378-11D5-990C-006094235084\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetXMLValue))/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16746 WEB-ACTIVEX IBM Access Support ActiveX clsid access 34228 attempted-user 2009-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|4|00|F|00|F|00|E|00|2|00|8|00|D|00|-|00|2|00|3|00|7|00|8|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|9|00|0|00|C|00|-|00|0|00|0|00|6|00|0|00|9|00|4|00|2|00|3|00|5|00|0|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x004\x00F\x00F\x00E\x002\x008\x00D\x00-\x002\x003\x007\x008\x00-\x001\x001\x00D\x005\x00-\x009\x009\x000\x00C\x00-\x000\x000\x006\x000\x009\x004\x002\x003\x005\x000\x008\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16747 WEB-ACTIVEX IBM Access Support ActiveX clsid unicode access 34228 attempted-user 2009-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IbmEgath.IbmEgathCtl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22IbmEgath\.IbmEgathCtl(\.\d)?\x22|\x27IbmEgath\.IbmEgathCtl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetXMLValue\s*|.*(?P=v)\s*\.\s*GetXMLValue\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IbmEgath\.IbmEgathCtl(\.\d)?\x22|\x27IbmEgath\.IbmEgathCtl(\.\d)?\x27)\s*\)(\s*\.\s*GetXMLValue\s*|.*(?P=n)\s*\.\s*GetXMLValue\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16748 WEB-ACTIVEX IBM Access Support ActiveX function call access 34228 attempted-user 2009-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|b|00|m|00|E|00|g|00|a|00|t|00|h|00|.|00|I|00|b|00|m|00|E|00|g|00|a|00|t|00|h|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00.\x00I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00C\x00t\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00.\x00I\x00b\x00m\x00E\x00g\x00a\x00t\x00h\x00C\x00t\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16749 WEB-ACTIVEX IBM Access Support ActiveX function call unicode access protocol-command-decode 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 16754 NETBIOS SMB /PlughNTCommand andx create tree attempt protocol-command-decode 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 16755 NETBIOS SMB /PlughNTCommand create tree attempt protocol-command-decode 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 16756 NETBIOS SMB /PlughNTCommand unicode andx create tree attempt protocol-command-decode 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 16757 NETBIOS SMB /PlughNTCommand unicode create tree attempt protocol-command-decode 2009-1394 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 16758 NETBIOS-DG SMB /PlughNTCommand andx create tree attempt protocol-command-decode 2009-1394 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 16759 NETBIOS-DG SMB /PlughNTCommand create tree attempt protocol-command-decode 2009-1394 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 16760 NETBIOS-DG SMB /PlughNTCommand unicode andx create tree attempt protocol-command-decode 2009-1394 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 16761 NETBIOS-DG SMB /PlughNTCommand unicode create tree attempt attempted-admin 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 16762 NETBIOS SMB Timbuktu Pro overflow WriteAndX andx attempt attempted-admin 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 16763 NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt attempted-admin 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 16764 NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode andx attempt attempted-admin 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 16765 NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt attempted-admin 2009-1394 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 16766 NETBIOS SMB Timbuktu Pro overflow andx attempt attempted-user 2009-4850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17A54E7D-A9D4-11D8-9552-00E04CB09903\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SceneURL)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*17A54E7D-A9D4-11D8-9552-00E04CB09903\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SceneURL))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16767 WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid access attempted-user 2009-4850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|7|00|A|00|5|00|4|00|E|00|7|00|D|00|-|00|A|00|9|00|D|00|4|00|-|00|1|00|1|00|D|00|8|00|-|00|9|00|5|00|5|00|2|00|-|00|0|00|0|00|E|00|0|00|4|00|C|00|B|00|0|00|9|00|9|00|0|00|3|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x007\x00A\x005\x004\x00E\x007\x00D\x00-\x00A\x009\x00D\x004\x00-\x001\x001\x00D\x008\x00-\x009\x005\x005\x002\x00-\x000\x000\x00E\x000\x004\x00C\x00B\x000\x009\x009\x000\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16768 WEB-ACTIVEX AwingSoft Web3D Player ActiveX clsid unicode access attempted-user 2009-4850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WindsPlayerIE.View"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22WindsPlayerIE\.View(\.\d)?\x22|\x27WindsPlayerIE\.View(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SceneURL\s*|.*(?P=v)\s*\.\s*SceneURL\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WindsPlayerIE\.View(\.\d)?\x22|\x27WindsPlayerIE\.View(\.\d)?\x27)\s*\)(\s*\.\s*SceneURL\s*|.*(?P=n)\s*\.\s*SceneURL\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16769 WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call access attempted-user 2009-4850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"W|00|i|00|n|00|d|00|s|00|P|00|l|00|a|00|y|00|e|00|r|00|I|00|E|00|.|00|V|00|i|00|e|00|w|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)W\x00i\x00n\x00d\x00s\x00P\x00l\x00a\x00y\x00e\x00r\x00I\x00E\x00.\x00V\x00i\x00e\x00w\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)W\x00i\x00n\x00d\x00s\x00P\x00l\x00a\x00y\x00e\x00r\x00I\x00E\x00.\x00V\x00i\x00e\x00w\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16770 WEB-ACTIVEX AwingSoft Web3D Player ActiveX function call unicode access attempted-user 2009-4588 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; file_data; content:"classid|3D 27|clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16771 SPECIFIC-THREATS AwingSoft Web3D Player WindsPlayerIE.View.1 ActiveX SceneURL method overflow attempt 36546 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(JumpURL|JumpMappedID)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(JumpURL|JumpMappedID))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16772 WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid access 36546 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|7|00|E|00|C|00|F|00|D|00|4|00|1|00|-|00|B|00|E|00|6|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|9|00|A|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|1|00|3|00|8|00|C|00|8|00|C|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x007\x00E\x00C\x00F\x00D\x004\x001\x00-\x00B\x00E\x006\x002\x00-\x001\x001\x00D\x002\x00-\x00B\x009\x00A\x008\x00-\x000\x000\x001\x000\x004\x00B\x001\x003\x008\x00C\x008\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16773 WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX clsid unicode access 36546 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"KeyHelp.KeyCtrl"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22KeyHelp\.KeyCtrl(\.\d)?\x22|\x27KeyHelp\.KeyCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(JumpURL|JumpMappedID)\s*|.*(?P=v)\s*\.\s*(JumpURL|JumpMappedID)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22KeyHelp\.KeyCtrl(\.\d)?\x22|\x27KeyHelp\.KeyCtrl(\.\d)?\x27)\s*\)(\s*\.\s*(JumpURL|JumpMappedID)\s*|.*(?P=n)\s*\.\s*(JumpURL|JumpMappedID)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16774 WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call access 36546 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"K|00|e|00|y|00|H|00|e|00|l|00|p|00|.|00|K|00|e|00|y|00|C|00|t|00|r|00|l|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)K\x00e\x00y\x00H\x00e\x00l\x00p\x00.\x00K\x00e\x00y\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)K\x00e\x00y\x00H\x00e\x00l\x00p\x00.\x00K\x00e\x00y\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16775 WEB-ACTIVEX EMC Captiva QuickScan Pro ActiveX function call unicode access 36546 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"ActiveXObject|28 27|KeyHelp.KeyCtrl.1|27 29 3B|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16776 SPECIFIC-THREATS KeyWorks KeyHelp 'keyhelp.ocx' ActiveX control multiple method overflow attempt osvdb.org/show/osvdb/58423 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*21E0CB95-1198-4945-A3D2-4BF804295F78\s*}?\s*(?P=q1)(\s|>)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*21E0CB95-1198-4945-A3D2-4BF804295F78\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>))/siO"; pcre:"/\.(src|background|packagexml)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16783 WEB-ACTIVEX Autodesk iDrop ActiveX clsid access securitytracker.com/id?1021969 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"idrop.idrop"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22idrop\.idrop(\.\d)?\x22|\x27idrop\.idrop(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22idrop\.idrop(\.\d)?\x22|\x27idrop\.idrop(\.\d)?\x27)\s*\)\s*=/smiO"; pcre:"/\.(src|background|packagexml)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16784 WEB-ACTIVEX Autodesk iDrop ActiveX function call access securitytracker.com/id?1021969 32073 attempted-user 2008-5002 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3D| new ActiveXObject|28 22|ChilkatCrypt2|2E|ChilkatCrypt2|22 29 3B|"; fast_pattern:only; nocase; content:"|3D| unescape|3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16789 SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 1 32073 attempted-user 2008-5002 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"classid|3D 27|clsid|3A|3352B5B9-82E8-4FFD-9EB1-1A3E60056904|27|"; fast_pattern:only; nocase; content:"unescape|28 22 25|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16790 SPECIFIC-THREATS Chilkat Crypt 2 ActiveX WriteFile method arbitrary file overwrite attempt - 2 34310 attempted-user 2007-4475 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveViewToSessionFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveViewToSessionFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16791 WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid access 34310 attempted-user 2007-4475 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|B|00|B|00|E|00|0|00|7|00|0|00|-|00|7|00|3|00|4|00|0|00|-|00|1|00|1|00|d|00|2|00|-|00|A|00|A|00|6|00|B|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|2|00|4|00|C|00|3|00|4|00|E|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00F\x00B\x00B\x00E\x000\x007\x000\x00-\x007\x003\x004\x000\x00-\x001\x001\x00d\x002\x00-\x00A\x00A\x006\x00B\x00-\x000\x000\x00E\x000\x002\x009\x002\x004\x00C\x003\x004\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16792 WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX clsid unicode access 34310 attempted-user 2007-4475 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EAIWeb.WebViewer3D"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22EAIWeb\.WebViewer3D(\.\d)?\x22|\x27EAIWeb\.WebViewer3D(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveViewToSessionFile\s*|.*(?P=v)\s*\.\s*SaveViewToSessionFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EAIWeb\.WebViewer3D(\.\d)?\x22|\x27EAIWeb\.WebViewer3D(\.\d)?\x27)\s*\)(\s*\.\s*SaveViewToSessionFile\s*|.*(?P=n)\s*\.\s*SaveViewToSessionFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16793 WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call access 34310 attempted-user 2007-4475 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|A|00|I|00|W|00|e|00|b|00|.|00|W|00|e|00|b|00|V|00|i|00|e|00|w|00|e|00|r|00|3|00|D|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00A\x00I\x00W\x00e\x00b\x00.\x00W\x00e\x00b\x00V\x00i\x00e\x00w\x00e\x00r\x003\x00D\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00A\x00I\x00W\x00e\x00b\x00.\x00W\x00e\x00b\x00V\x00i\x00e\x00w\x00e\x00r\x003\x00D\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16794 WEB-ACTIVEX SAP AG SAPgui EAI WebViewer3D ActiveX function call unicode access 35083 attempted-admin 2008-3870 udp $EXTERNAL_NET any -> $HOME_NET [1024:] flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; byte_test:4,>,0xFFFFFEFF,0,relative; metadata:policy security-ips drop, service sunrpc; classtype:attempted-admin; 16796 RPC Sun Solaris sadmind UDP data length integer overflow attempt 35083 attempted-admin 2008-3870 tcp $EXTERNAL_NET any -> $HOME_NET [1024:] flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; byte_test:4,>,0xFFFFFEFF,0,relative; metadata:policy security-ips drop, service sunrpc; classtype:attempted-admin; 16797 RPC Sun Solaris sadmind TCP data length integer overflow attempt 23071 attempted-user 2007-0348 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B727C217-2022-11D4-B2C6-0050DA1BD906\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ApplicationType)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B727C217-2022-11D4-B2C6-0050DA1BD906\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(ApplicationType))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16802 WEB-ACTIVEX WinDVD IASystemInfo.dll ActiveX clsid access 23071 attempted-user 2007-0348 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|7|00|2|00|7|00|C|00|2|00|1|00|7|00|-|00|2|00|0|00|2|00|2|00|-|00|1|00|1|00|D|00|4|00|-|00|B|00|2|00|C|00|6|00|-|00|0|00|0|00|5|00|0|00|D|00|A|00|1|00|B|00|D|00|9|00|0|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x007\x002\x007\x00C\x002\x001\x007\x00-\x002\x000\x002\x002\x00-\x001\x001\x00D\x004\x00-\x00B\x002\x00C\x006\x00-\x000\x000\x005\x000\x00D\x00A\x001\x00B\x00D\x009\x000\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16803 WEB-ACTIVEX WinDVD IASystemInfo.dll ActiveX clsid unicode access attempted-user 2010-0814 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17037, service http, policy security-ips drop; 17037 WEB-ACTIVEX MS Access multiple control instantiation memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-044.mspx attempted-user 2010-1881 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17038, service http, policy balanced-ips drop, policy security-ips drop; 17038 EXPLOIT Microsoft Access ACCWIZ library release after free attempt - 1 www.microsoft.com/technet/security/bulletin/MS10-044.mspx attempted-user 2010-1881 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17039, service http, policy balanced-ips drop, policy security-ips drop; 17039 EXPLOIT Microsoft Access ACCWIZ library release after free attempt - 2 www.microsoft.com/technet/security/bulletin/MS10-044.mspx attempted-user 2010-2568 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17042 WEB-CLIENT Microsoft LNK shortcut download attempt www.microsoft.com/technet/security/bulletin/ms10-046.mspx attempted-user 2010-2568 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".pif"; nocase; http_uri; pcre:"/\.pif[\s\x3F\x3B]/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17043 WEB-CLIENT Microsoft PIF shortcut download attempt www.microsoft.com/technet/security/bulletin/ms10-046.mspx 33247 attempted-user 2008-4388 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3356DB7C-58A7-11D4-AA5C-006097314BF8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(installAppMgr|installAppMgr2|upgradeAsNeeded|upgradeAsNeededEx)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3356DB7C-58A7-11D4-AA5C-006097314BF8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(installAppMgr|installAppMgr2|upgradeAsNeeded|upgradeAsNeededEx))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17051 WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX clsid access 33247 attempted-user 2008-4388 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|3|00|5|00|6|00|D|00|B|00|7|00|C|00|-|00|5|00|8|00|A|00|7|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|A|00|5|00|C|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|3|00|1|00|4|00|B|00|F|00|8|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x003\x005\x006\x00D\x00B\x007\x00C\x00-\x005\x008\x00A\x007\x00-\x001\x001\x00D\x004\x00-\x00A\x00A\x005\x00C\x00-\x000\x000\x006\x000\x009\x007\x003\x001\x004\x00B\x00F\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17052 WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX clsid unicode access 33247 attempted-user 2008-4388 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Launcher.LaunchObj"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Launcher\.LaunchObj(\.\d)?\x22|\x27Launcher\.LaunchObj(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(installAppMgr|installAppMgr2|upgradeAsNeeded|upgradeAsNeededEx)\s*|.*(?P=v)\s*\.\s*(installAppMgr|installAppMgr2|upgradeAsNeeded|upgradeAsNeededEx)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Launcher\.LaunchObj(\.\d)?\x22|\x27Launcher\.LaunchObj(\.\d)?\x27)\s*\)(\s*\.\s*(installAppMgr|installAppMgr2|upgradeAsNeeded|upgradeAsNeededEx)\s*|.*(?P=n)\s*\.\s*(installAppMgr|installAppMgr2|upgradeAsNeeded|upgradeAsNeededEx)\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17053 WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX function call access 33247 attempted-user 2008-4388 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|a|00|u|00|n|00|c|00|h|00|e|00|r|00|.|00|L|00|a|00|u|00|n|00|c|00|h|00|O|00|b|00|j|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00.\x00L\x00a\x00u\x00n\x00c\x00h\x00O\x00b\x00j\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)L\x00a\x00u\x00n\x00c\x00h\x00e\x00r\x00.\x00L\x00a\x00u\x00n\x00c\x00h\x00O\x00b\x00j\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17054 WEB-ACTIVEX Symantec AppStream Client LaunchObj ActiveX function call unicode access 34400 attempted-admin 2009-1350 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|02 00 00 00 00 00 00 00 40 09 B9 00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 17056 SPECIFIC-THREATS Novell NetIdentity Agent XTIERRPCPIPE remote code execution attempt 23412 attempted-user 2007-1559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|9F1363DA-0220-462E-B923-9E3C9038896F|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17060 SPECIFIC-THREATS Roxio CinePlayer SonicDVDDashVRNav.dll ActiveX control buffer overflow attempt 23936 attempted-user 2007-1689 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BE39AEFD-5704-4bb5-B1DF-B7992454AB7E"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE39AEFD-5704-4bb5-B1DF-B7992454AB7E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Get|Set)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BE39AEFD-5704-4bb5-B1DF-B7992454AB7E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Get|Set))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17061 WEB-ACTIVEX Symantec Norton Personal Firewall 2004 ActiveX clsid access 23936 attempted-user 2007-1689 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|E|00|3|00|9|00|A|00|E|00|F|00|D|00|-|00|5|00|7|00|0|00|4|00|-|00|4|00|b|00|b|00|5|00|-|00|B|00|1|00|D|00|F|00|-|00|B|00|7|00|9|00|9|00|2|00|4|00|5|00|4|00|A|00|B|00|7|00|E|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00E\x003\x009\x00A\x00E\x00F\x00D\x00-\x005\x007\x000\x004\x00-\x004\x00b\x00b\x005\x00-\x00B\x001\x00D\x00F\x00-\x00B\x007\x009\x009\x002\x004\x005\x004\x00A\x00B\x007\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17062 WEB-ACTIVEX Symantec Norton Personal Firewall 2004 ActiveX clsid unicode access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"54da0fb5-483a-4c53-810b-f131d50a8eb6"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*54da0fb5-483a-4c53-810b-f131d50a8eb6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*54da0fb5-483a-4c53-810b-f131d50a8eb6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17063 WEB-ACTIVEX Logitech Video Call 1 ActiveX clsid access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|4|00|d|00|a|00|0|00|f|00|b|00|5|00|-|00|4|00|8|00|3|00|a|00|-|00|4|00|c|00|5|00|3|00|-|00|8|00|1|00|0|00|b|00|-|00|f|00|1|00|3|00|1|00|d|00|5|00|0|00|a|00|8|00|e|00|b|00|6|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x004\x00d\x00a\x000\x00f\x00b\x005\x00-\x004\x008\x003\x00a\x00-\x004\x00c\x005\x003\x00-\x008\x001\x000\x00b\x00-\x00f\x001\x003\x001\x00d\x005\x000\x00a\x008\x00e\x00b\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17064 WEB-ACTIVEX Logitech Video Call 1 ActiveX clsid unicode access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6577b09d-c39d-4e22-9913-c99803f9c388"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6577b09d-c39d-4e22-9913-c99803f9c388\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6577b09d-c39d-4e22-9913-c99803f9c388\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17065 WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|5|00|7|00|7|00|b|00|0|00|9|00|d|00|-|00|c|00|3|00|9|00|d|00|-|00|4|00|e|00|2|00|2|00|-|00|9|00|9|00|1|00|3|00|-|00|c|00|9|00|9|00|8|00|0|00|3|00|f|00|9|00|c|00|3|00|8|00|8|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x005\x007\x007\x00b\x000\x009\x00d\x00-\x00c\x003\x009\x00d\x00-\x004\x00e\x002\x002\x00-\x009\x009\x001\x003\x00-\x00c\x009\x009\x008\x000\x003\x00f\x009\x00c\x003\x008\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17066 WEB-ACTIVEX Logitech Video Call 2 ActiveX clsid unicode access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"917b29f8-e72a-4761-8371-bf7fca27eb31"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*917b29f8-e72a-4761-8371-bf7fca27eb31\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*917b29f8-e72a-4761-8371-bf7fca27eb31\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17067 WEB-ACTIVEX Logitech Video Call 3 ActiveX clsid access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|1|00|7|00|b|00|2|00|9|00|f|00|8|00|-|00|e|00|7|00|2|00|a|00|-|00|4|00|7|00|6|00|1|00|-|00|8|00|3|00|7|00|1|00|-|00|b|00|f|00|7|00|f|00|c|00|a|00|2|00|7|00|e|00|b|00|3|00|1|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x001\x007\x00b\x002\x009\x00f\x008\x00-\x00e\x007\x002\x00a\x00-\x004\x007\x006\x001\x00-\x008\x003\x007\x001\x00-\x00b\x00f\x007\x00f\x00c\x00a\x002\x007\x00e\x00b\x003\x001\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17068 WEB-ACTIVEX Logitech Video Call 3 ActiveX clsid unicode access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"bef0f488-3562-435f-8e89-79d94c9a528c"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bef0f488-3562-435f-8e89-79d94c9a528c\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bef0f488-3562-435f-8e89-79d94c9a528c\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17069 WEB-ACTIVEX Logitech Video Call 4 ActiveX clsid access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"b|00|e|00|f|00|0|00|f|00|4|00|8|00|8|00|-|00|3|00|5|00|6|00|2|00|-|00|4|00|3|00|5|00|f|00|-|00|8|00|e|00|8|00|9|00|-|00|7|00|9|00|d|00|9|00|4|00|c|00|9|00|a|00|5|00|2|00|8|00|c|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00e\x00f\x000\x00f\x004\x008\x008\x00-\x003\x005\x006\x002\x00-\x004\x003\x005\x00f\x00-\x008\x00e\x008\x009\x00-\x007\x009\x00d\x009\x004\x00c\x009\x00a\x005\x002\x008\x00c\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17070 WEB-ACTIVEX Logitech Video Call 4 ActiveX clsid unicode access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"bf4c7b03-f381-4544-9a33-cb6dad2a87cd"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bf4c7b03-f381-4544-9a33-cb6dad2a87cd\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*bf4c7b03-f381-4544-9a33-cb6dad2a87cd\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Start))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17071 WEB-ACTIVEX Logitech Video Call 5 ActiveX clsid access 24254 attempted-user 2007-2918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"b|00|f|00|4|00|c|00|7|00|b|00|0|00|3|00|-|00|f|00|3|00|8|00|1|00|-|00|4|00|5|00|4|00|4|00|-|00|9|00|a|00|3|00|3|00|-|00|c|00|b|00|6|00|d|00|a|00|d|00|2|00|a|00|8|00|7|00|c|00|d|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*b\x00f\x004\x00c\x007\x00b\x000\x003\x00-\x00f\x003\x008\x001\x00-\x004\x005\x004\x004\x00-\x009\x00a\x003\x003\x00-\x00c\x00b\x006\x00d\x00a\x00d\x002\x00a\x008\x007\x00c\x00d\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17072 WEB-ACTIVEX Logitech Video Call 5 ActiveX clsid unicode access 25785 attempted-user 2007-5107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5A074B2B-F830-49de-A31B-5BB9D7F6B407"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5A074B2B-F830-49de-A31B-5BB9D7F6B407\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ShortFormat)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5A074B2B-F830-49de-A31B-5BB9D7F6B407\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(ShortFormat))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17073 WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid access 25785 attempted-user 2007-5107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|A|00|0|00|7|00|4|00|B|00|2|00|B|00|-|00|F|00|8|00|3|00|0|00|-|00|4|00|9|00|d|00|e|00|-|00|A|00|3|00|1|00|B|00|-|00|5|00|B|00|B|00|9|00|D|00|7|00|F|00|6|00|B|00|4|00|0|00|7|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00A\x000\x007\x004\x00B\x002\x00B\x00-\x00F\x008\x003\x000\x00-\x004\x009\x00d\x00e\x00-\x00A\x003\x001\x00B\x00-\x005\x00B\x00B\x009\x00D\x007\x00F\x006\x00B\x004\x000\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17074 WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX clsid unicode access 25785 attempted-user 2007-5107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AskJeevesToolBar.SettingsPlugin"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22AskJeevesToolBar\.SettingsPlugin(\.\d)?\x22|\x27AskJeevesToolBar\.SettingsPlugin(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*ShortFormat\s*|.*(?P=v)\s*\.\s*ShortFormat\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AskJeevesToolBar\.SettingsPlugin(\.\d)?\x22|\x27AskJeevesToolBar\.SettingsPlugin(\.\d)?\x27)\s*\)(\s*\.\s*ShortFormat\s*|.*(?P=n)\s*\.\s*ShortFormat)\s*=/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17075 WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call access 25785 attempted-user 2007-5107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|s|00|k|00|J|00|e|00|e|00|v|00|e|00|s|00|T|00|o|00|o|00|l|00|B|00|a|00|r|00|.|00|S|00|e|00|t|00|t|00|i|00|n|00|g|00|s|00|P|00|l|00|u|00|g|00|i|00|n|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00s\x00k\x00J\x00e\x00e\x00v\x00e\x00s\x00T\x00o\x00o\x00l\x00B\x00a\x00r\x00.\x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00P\x00l\x00u\x00g\x00i\x00n\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00s\x00k\x00J\x00e\x00e\x00v\x00e\x00s\x00T\x00o\x00o\x00l\x00B\x00a\x00r\x00.\x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00P\x00l\x00u\x00g\x00i\x00n\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17076 WEB-ACTIVEX Ask Toolbar AskJeevesToolBar.SettingsPlugin ActiveX function call unicode access 25785 attempted-user 2007-5107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid|3D 27|clsid|3A|5A074B2B-F830-49DE-A31B-5BB9D7F6B407|27|"; content:"|3D| new String|28|"; distance:0; content:!"|29|"; within:1000; metadata:policy security-ips drop, service http; classtype:attempted-user; 17077 SPECIFIC-THREATS Ask Toolbar AskJeevesToolBar.SettingsPlugin.1 ActiveX control buffer overflow attempt 26236 attempted-user 2007-5779 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DC07C721-79E0-4BD4-A89F-C90871946A31"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DC07C721-79E0-4BD4-A89F-C90871946A31\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenURL)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DC07C721-79E0-4BD4-A89F-C90871946A31\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenURL))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17078 WEB-ACTIVEX GOM Player GomWeb ActiveX clsid access 26236 attempted-user 2007-5779 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|C|00|0|00|7|00|C|00|7|00|2|00|1|00|-|00|7|00|9|00|E|00|0|00|-|00|4|00|B|00|D|00|4|00|-|00|A|00|8|00|9|00|F|00|-|00|C|00|9|00|0|00|8|00|7|00|1|00|9|00|4|00|6|00|A|00|3|00|1|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00C\x000\x007\x00C\x007\x002\x001\x00-\x007\x009\x00E\x000\x00-\x004\x00B\x00D\x004\x00-\x00A\x008\x009\x00F\x00-\x00C\x009\x000\x008\x007\x001\x009\x004\x006\x00A\x003\x001\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17079 WEB-ACTIVEX GOM Player GomWeb ActiveX clsid unicode access 26236 attempted-user 2007-5779 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"GomWebCtrl.GomManager"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22GomWebCtrl\.GomManager(\.\d)?\x22|\x27GomWebCtrl\.GomManager(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenURL\s*|.*(?P=v)\s*\.\s*OpenURL\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22GomWebCtrl\.GomManager(\.\d)?\x22|\x27GomWebCtrl\.GomManager(\.\d)?\x27)\s*\)(\s*\.\s*OpenURL\s*|.*(?P=n)\s*\.\s*OpenURL\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17080 WEB-ACTIVEX GOM Player GomWeb ActiveX function call access 26236 attempted-user 2007-5779 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"G|00|o|00|m|00|W|00|e|00|b|00|C|00|t|00|r|00|l|00|.|00|G|00|o|00|m|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)G\x00o\x00m\x00W\x00e\x00b\x00C\x00t\x00r\x00l\x00.\x00G\x00o\x00m\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)G\x00o\x00m\x00W\x00e\x00b\x00C\x00t\x00r\x00l\x00.\x00G\x00o\x00m\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17081 WEB-ACTIVEX GOM Player GomWeb ActiveX function call unicode access 26288 attempted-user 2007-5603 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddRouteEntry)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddRouteEntry))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17082 WEB-ACTIVEX SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid access 26288 attempted-user 2007-5603 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|E|00|E|00|F|00|D|00|7|00|B|00|1|00|-|00|B|00|2|00|6|00|C|00|-|00|4|00|4|00|0|00|D|00|-|00|B|00|5|00|5|00|A|00|-|00|1|00|E|00|C|00|6|00|7|00|7|00|1|00|8|00|9|00|F|00|3|00|0|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x00E\x00F\x00D\x007\x00B\x001\x00-\x00B\x002\x006\x00C\x00-\x004\x004\x000\x00D\x00-\x00B\x005\x005\x00A\x00-\x001\x00E\x00C\x006\x007\x007\x001\x008\x009\x00F\x003\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17083 WEB-ACTIVEX SonicWALL SSL-VPN NeLaunchCtrl ActiveX clsid unicode access 29391 attempted-user 2008-0955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0A5FD7C5-A45C-49FC-ADB5-9952547D5715"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0A5FD7C5-A45C-49FC-ADB5-9952547D5715\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(cachefolder)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0A5FD7C5-A45C-49FC-ADB5-9952547D5715\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(cachefolder))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17084 WEB-ACTIVEX Creative Software AutoUpdate Engine ActiveX clsid access 29391 attempted-user 2008-0955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|A|00|5|00|F|00|D|00|7|00|C|00|5|00|-|00|A|00|4|00|5|00|C|00|-|00|4|00|9|00|F|00|C|00|-|00|A|00|D|00|B|00|5|00|-|00|9|00|9|00|5|00|2|00|5|00|4|00|7|00|D|00|5|00|7|00|1|00|5|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00A\x005\x00F\x00D\x007\x00C\x005\x00-\x00A\x004\x005\x00C\x00-\x004\x009\x00F\x00C\x00-\x00A\x00D\x00B\x005\x00-\x009\x009\x005\x002\x005\x004\x007\x00D\x005\x007\x001\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17085 WEB-ACTIVEX Creative Software AutoUpdate Engine ActiveX clsid unicode access 29391 attempted-user 2008-0955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|0A5FD7C5-A45C-49FC-ADB5-9952547D5715|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17086 SPECIFIC-THREATS Creative Software AutoUpdate Engine CTSUEng.ocx ActiveX control buffer overflow attempt 32313 attempted-user 2008-5492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*433268D7-2CD4-43E6-AA24-2188672E7252\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenPDF)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*433268D7-2CD4-43E6-AA24-2188672E7252\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenPDF))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17087 WEB-ACTIVEX VeryDOC PDF Viewer ActiveX clsid access 32313 attempted-user 2008-5492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|3|00|3|00|2|00|6|00|8|00|D|00|7|00|-|00|2|00|C|00|D|00|4|00|-|00|4|00|3|00|E|00|6|00|-|00|A|00|A|00|2|00|4|00|-|00|2|00|1|00|8|00|8|00|6|00|7|00|2|00|E|00|7|00|2|00|5|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x003\x003\x002\x006\x008\x00D\x007\x00-\x002\x00C\x00D\x004\x00-\x004\x003\x00E\x006\x00-\x00A\x00A\x002\x004\x00-\x002\x001\x008\x008\x006\x007\x002\x00E\x007\x002\x005\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17088 WEB-ACTIVEX VeryDOC PDF Viewer ActiveX clsid unicode access 32313 attempted-user 2008-5492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PDFVIEW.PdfviewCtrl"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22PDFVIEW\.PdfviewCtrl(\.\d)?\x22|\x27PDFVIEW\.PdfviewCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenPDF\s*|.*(?P=v)\s*\.\s*OpenPDF\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDFVIEW\.PdfviewCtrl(\.\d)?\x22|\x27PDFVIEW\.PdfviewCtrl(\.\d)?\x27)\s*\)(\s*\.\s*OpenPDF\s*|.*(?P=n)\s*\.\s*OpenPDF\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17089 WEB-ACTIVEX VeryDOC PDF Viewer ActiveX function call access 32313 attempted-user 2008-5492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|D|00|F|00|V|00|I|00|E|00|W|00|.|00|P|00|d|00|f|00|v|00|i|00|e|00|w|00|C|00|t|00|r|00|l|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)P\x00D\x00F\x00V\x00I\x00E\x00W\x00.\x00P\x00d\x00f\x00v\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)P\x00D\x00F\x00V\x00I\x00E\x00W\x00.\x00P\x00d\x00f\x00v\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17090 WEB-ACTIVEX VeryDOC PDF Viewer ActiveX function call unicode access 32313 attempted-user 2008-5492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|433268D7-2CD4-43E6-AA24-2188672E7252|27|"; content:"unescape|28 27 25|u"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17091 SPECIFIC-THREATS VeryDOC PDF Viewer ActiveX control OpenPDF buffer overflow attempt 36346 attempted-user 2009-3028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download|DownloadAndInstall)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download|DownloadAndInstall))/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17092 WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid access 36346 attempted-user 2009-3028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|3|00|7|00|1|00|6|00|E|00|9|00|3|00|-|00|0|00|3|00|3|00|D|00|-|00|4|00|8|00|B|00|0|00|-|00|8|00|A|00|2|00|F|00|-|00|8|00|E|00|8|00|4|00|7|00|3|00|F|00|D|00|7|00|A|00|C|00|7|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x003\x007\x001\x006\x00E\x009\x003\x00-\x000\x003\x003\x00D\x00-\x004\x008\x00B\x000\x00-\x008\x00A\x002\x00F\x00-\x008\x00E\x008\x004\x007\x003\x00F\x00D\x007\x00A\x00C\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17093 WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX clsid unicode access 36346 attempted-user 2009-3028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Altiris.AeXNSPkgDL"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=v)\s*\.\s*(Download|DownloadAndInstall)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Altiris\.AeXNSPkgDL(\.\d)?\x22|\x27Altiris\.AeXNSPkgDL(\.\d)?\x27)\s*\)(\s*\.\s*(Download|DownloadAndInstall)\s*|.*(?P=n)\s*\.\s*(Download|DownloadAndInstall)\s*)/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17094 WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call access 36346 attempted-user 2009-3028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|l|00|t|00|i|00|r|00|i|00|s|00|.|00|A|00|e|00|X|00|N|00|S|00|P|00|k|00|g|00|D|00|L|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00P\x00k\x00g\x00D\x00L\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00l\x00t\x00i\x00r\x00i\x00s\x00.\x00A\x00e\x00X\x00N\x00S\x00P\x00k\x00g\x00D\x00L\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17095 WEB-ACTIVEX Symantec Altirix Deployment Solution AeXNSPkgDLLib.dll ActiveX function call unicode access misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; flowbits:set,imagesource.redefine; flowbits:noalert; metadata: engine shared, soid 3|17113; 17113 WEB-CLIENT Microsoft SilverLight ImageSource redefine flowbit attempted-user 2010-1882 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.mp3; metadata: engine shared, soid 3|17117, service http, policy balanced-ips drop, policy security-ips drop; 17117 EXPLOIT Microsoft MPEG Layer-3 audio heap corruption attempt www.microsoft.com/technet/Bulletin/advisory/MS10-052.mspx attempted-user 2010-1898 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17118, service http, policy balanced-ips drop, policy security-ips drop; 17118 EXPLOIT Microsoft .NET CreateDelegate method arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS10-060.mspx attempted-admin 2010-2550 tcp $EXTERNAL_NET any -> $HOME_NET 445 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17125, service netbios-ssn, policy security-ips drop; 17125 NETBIOS SMB Trans2 MaxDataCount overflow attempt www.microsoft.com/technet/security/bulletin/MS10-054.mspx protocol-command-decode 2010-2551 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; flowbits:set,smb.small.packet; flowbits:noalert; metadata: engine shared, soid 3|17126, service netbios-ssn; 17126 NETBIOS SMB large session length with small packet www.microsoft.com/technet/security/bulletin/MS10-054.mspx attempted-dos 2010-2551 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:attempted-dos; flowbits:isset,smb.small.packet; flowbits:unset,smb.small.packet; metadata: engine shared, soid 3|17127, service netbios-ssn, policy security-ips drop; 17127 NETBIOS BytesIndicated validation dos attempt www.microsoft.com/technet/security/bulletin/MS10-054.mspx attempted-user 2010-2564 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.mswmm; metadata: engine shared, soid 3|17135, service http, policy balanced-ips drop, policy security-ips drop; 17135 EXPLOIT Microsoft Windows Movie Maker string size overflow attempt www.microsoft.com/technet/security/bulletin/MS10-050.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"classid|3D 27|clsid|3A|E68E401C-7DB0-4F3A-88E1-159882468A79|27|"; content:"defer>"; within:100; content:"unescape|28 22 25|"; within:50; metadata:policy security-ips drop, service http; classtype:attempted-user; 17160 SPECIFIC-THREATS Liquid XML Studio LtXmlComHelp8.dll ActiveX OpenFile buffer overflow attempt secunia.com/advisories/38974 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E68E401C-7DB0-4F3A-88E1-159882468A79"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E68E401C-7DB0-4F3A-88E1-159882468A79\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(OpenFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E68E401C-7DB0-4F3A-88E1-159882468A79\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(OpenFile))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17161 WEB-ACTIVEX Liquid XML Studio ActiveX clsid access secunia.com/advisories/38974 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|6|00|8|00|E|00|4|00|0|00|1|00|C|00|-|00|7|00|D|00|B|00|0|00|-|00|4|00|F|00|3|00|A|00|-|00|8|00|8|00|E|00|1|00|-|00|1|00|5|00|9|00|8|00|8|00|2|00|4|00|6|00|8|00|A|00|7|00|9|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x006\x008\x00E\x004\x000\x001\x00C\x00-\x007\x00D\x00B\x000\x00-\x004\x00F\x003\x00A\x00-\x008\x008\x00E\x001\x00-\x001\x005\x009\x008\x008\x002\x004\x006\x008\x00A\x007\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17162 WEB-ACTIVEX Liquid XML Studio ActiveX clsid unicode access secunia.com/advisories/38974 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LtXmlComHelp8.UnicodeFile"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22LtXmlComHelp8\.UnicodeFile(\.\d)?\x22|\x27LtXmlComHelp8\.UnicodeFile(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*OpenFile\s*|.*(?P=v)\s*\.\s*OpenFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LtXmlComHelp8\.UnicodeFile(\.\d)?\x22|\x27LtXmlComHelp8\.UnicodeFile(\.\d)?\x27)\s*\)(\s*\.\s*OpenFile\s*|.*(?P=n)\s*\.\s*OpenFile\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17163 WEB-ACTIVEX Liquid XML Studio ActiveX function call access secunia.com/advisories/38974 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|t|00|X|00|m|00|l|00|C|00|o|00|m|00|H|00|e|00|l|00|p|00|8|00|.|00|U|00|n|00|i|00|c|00|o|00|d|00|e|00|F|00|i|00|l|00|e|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)L\x00t\x00X\x00m\x00l\x00C\x00o\x00m\x00H\x00e\x00l\x00p\x008\x00.\x00U\x00n\x00i\x00c\x00o\x00d\x00e\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)L\x00t\x00X\x00m\x00l\x00C\x00o\x00m\x00H\x00e\x00l\x00p\x008\x00.\x00U\x00n\x00i\x00c\x00o\x00d\x00e\x00F\x00i\x00l\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17164 WEB-ACTIVEX Liquid XML Studio ActiveX function call unicode access secunia.com/advisories/38974 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"07070bfd-c501-4899-934d-0b96a9f70795"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*07070bfd-c501-4899-934d-0b96a9f70795\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17167 WEB-ACTIVEX Oracle Siebel Option Pack 1 ActiveX clsid access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|7|00|0|00|7|00|0|00|b|00|f|00|d|00|-|00|c|00|5|00|0|00|1|00|-|00|4|00|8|00|9|00|9|00|-|00|9|00|3|00|4|00|d|00|-|00|0|00|b|00|9|00|6|00|a|00|9|00|f|00|7|00|0|00|7|00|9|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x007\x000\x007\x000\x00b\x00f\x00d\x00-\x00c\x005\x000\x001\x00-\x004\x008\x009\x009\x00-\x009\x003\x004\x00d\x00-\x000\x00b\x009\x006\x00a\x009\x00f\x007\x000\x007\x009\x005\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17168 WEB-ACTIVEX Oracle Siebel Option Pack 1 ActiveX clsid unicode access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"26bac093-997c-4084-bad6-c35f5d67ea99"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*26bac093-997c-4084-bad6-c35f5d67ea99\s*}?\s*(?P=q3)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17169 WEB-ACTIVEX Oracle Siebel Option Pack 2 ActiveX clsid access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|6|00|b|00|a|00|c|00|0|00|9|00|3|00|-|00|9|00|9|00|7|00|c|00|-|00|4|00|0|00|8|00|4|00|-|00|b|00|a|00|d|00|6|00|-|00|c|00|3|00|5|00|f|00|5|00|d|00|6|00|7|00|e|00|a|00|9|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q4>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x006\x00b\x00a\x00c\x000\x009\x003\x00-\x009\x009\x007\x00c\x00-\x004\x000\x008\x004\x00-\x00b\x00a\x00d\x006\x00-\x00c\x003\x005\x00f\x005\x00d\x006\x007\x00e\x00a\x009\x009\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17170 WEB-ACTIVEX Oracle Siebel Option Pack 2 ActiveX clsid unicode access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"631F0C94-C02F-40AC-A31B-DDC39731FC81"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*631F0C94-C02F-40AC-A31B-DDC39731FC81\s*}?\s*(?P=q5)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17171 WEB-ACTIVEX Oracle Siebel Option Pack 3 ActiveX clsid access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|3|00|1|00|F|00|0|00|C|00|9|00|4|00|-|00|C|00|0|00|2|00|F|00|-|00|4|00|0|00|A|00|C|00|-|00|A|00|3|00|1|00|B|00|-|00|D|00|D|00|C|00|3|00|9|00|7|00|3|00|1|00|F|00|C|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x003\x001\x00F\x000\x00C\x009\x004\x00-\x00C\x000\x002\x00F\x00-\x004\x000\x00A\x00C\x00-\x00A\x003\x001\x00B\x00-\x00D\x00D\x00C\x003\x009\x007\x003\x001\x00F\x00C\x008\x001\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17172 WEB-ACTIVEX Oracle Siebel Option Pack 3 ActiveX clsid unicode access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"68cdb19a-6305-4589-8c35-41e3502cd451"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68cdb19a-6305-4589-8c35-41e3502cd451\s*}?\s*(?P=q7)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17173 WEB-ACTIVEX Oracle Siebel Option Pack 4 ActiveX clsid access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|8|00|c|00|d|00|b|00|1|00|9|00|a|00|-|00|6|00|3|00|0|00|5|00|-|00|4|00|5|00|8|00|9|00|-|00|8|00|c|00|3|00|5|00|-|00|4|00|1|00|e|00|3|00|5|00|0|00|2|00|c|00|d|00|4|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x008\x00c\x00d\x00b\x001\x009\x00a\x00-\x006\x003\x000\x005\x00-\x004\x005\x008\x009\x00-\x008\x00c\x003\x005\x00-\x004\x001\x00e\x003\x005\x000\x002\x00c\x00d\x004\x005\x001\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17174 WEB-ACTIVEX Oracle Siebel Option Pack 4 ActiveX clsid unicode access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"81a81dd2-a261-442a-b9b1-df10a2542020"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*81a81dd2-a261-442a-b9b1-df10a2542020\s*}?\s*(?P=q9)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17175 WEB-ACTIVEX Oracle Siebel Option Pack 5 ActiveX clsid access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|1|00|a|00|8|00|1|00|d|00|d|00|2|00|-|00|a|00|2|00|6|00|1|00|-|00|4|00|4|00|2|00|a|00|-|00|b|00|9|00|b|00|1|00|-|00|d|00|f|00|1|00|0|00|a|00|2|00|5|00|4|00|2|00|0|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x001\x00a\x008\x001\x00d\x00d\x002\x00-\x00a\x002\x006\x001\x00-\x004\x004\x002\x00a\x00-\x00b\x009\x00b\x001\x00-\x00d\x00f\x001\x000\x00a\x002\x005\x004\x002\x000\x002\x000\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17176 WEB-ACTIVEX Oracle Siebel Option Pack 5 ActiveX clsid unicode access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"45874228-a445-40dc-962b-ec15559b1741"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*45874228-a445-40dc-962b-ec15559b1741\s*}?\s*(?P=q11)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17177 WEB-ACTIVEX Oracle Siebel Option Pack 6 ActiveX clsid access www.kb.cert.org/vuls/id/174089 attempted-user 2009-3737 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|5|00|8|00|7|00|4|00|2|00|2|00|8|00|-|00|a|00|4|00|4|00|5|00|-|00|4|00|0|00|d|00|c|00|-|00|9|00|6|00|2|00|b|00|-|00|e|00|c|00|1|00|5|00|5|00|5|00|9|00|b|00|1|00|7|00|4|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q12>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x005\x008\x007\x004\x002\x002\x008\x00-\x00a\x004\x004\x005\x00-\x004\x000\x00d\x00c\x00-\x009\x006\x002\x00b\x00-\x00e\x00c\x001\x005\x005\x005\x009\x00b\x001\x007\x004\x001\x00(}\x00)?(?P=q12)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17178 WEB-ACTIVEX Oracle Siebel Option Pack 6 ActiveX clsid unicode access www.kb.cert.org/vuls/id/174089 33408 attempted-user 2008-5260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CamImage.CamImage"; nocase; pcre:"/(\x3d\s*new\s+ActiveXObject\s*\x28\s*(?P<q1>\x22|\x27)CamImage\.CamImage\.\d(?P=q1)\s*\x29|\x3d\s*CreateObject\s*\x28\s*(?P<q2>\x22|\x27)CamImage\.CamImage\.\d(?P=q2)\s*\x29)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17226 WEB-ACTIVEX AXIS Camera ActiveX initialization via script misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".wmv"; nocase; http_uri; flowbits:set,http.wmv; flowbits:noalert; metadata:service http; classtype:misc-activity; 17241 WEB-CLIENT Microsoft wmv file download request attempted-user 2010-0820 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17249, service ldap, policy balanced-ips drop, policy security-ips drop; 17249 EXPLOIT Microsoft LSASS integer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-068.mspx attempted-user 2010-2738 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17256, service http, policy balanced-ips drop, policy security-ips drop; 17256 WEB-CLIENT Microsoft Windows uniscribe fonts parsing memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-063.mspx 13248 attempted-user 2005-1191 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|1E 00 00 00|"; fast_pattern; content:"javascript"; distance:0; nocase; pcre:"/\x1e\x00\x00\x00.{4}[^\x00]*?\x40[^\x00]*?javascript/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17271 WEB-CLIENT Microsoft Windows Web View script injection attempt 18993 attempted-user 2006-3656 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|A4 37 7A 00 81 00 00 00 00 00 82 00 00 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17285 WEB-CLIENT Microsoft Powerpoint PPT file parsing memory corruption attempt 20322 attempted-user 2006-3876 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|F2 03|"; content:"|AA AA AA 2F 00 C8 0F 0C 00 00 00 30 00 D2 0F 04 00|"; within:17; distance:1; metadata:policy security-ips drop, service http; classtype:attempted-user; 17292 WEB-CLIENT Microsoft Powerpoint malformed data record code execution attempt 27658 attempted-user 2008-0105 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,works.download; content:"|22 07 00 00 00 22 22 22 22 00 22 06 00 00 00 02 00 46 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17304 WEB-CLIENT Microsoft Works file converter file section header index table stack overflow attempt denial-of-service 2008-1437 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"|49 44 45 44 38 55 45 47 47 53 39 6F 4F 72 2F 79 6A 45 77 6D 47 4C 76 57 4A 6A 56 4B 6B 6F 6D 6E 78 6E 2F 63 44 45 63 31 50 35|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:denial-of-service; 17306 SPECIFIC-THREATS Microsoft Malware Protection Engine file processing denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-029.mspx 30552 attempted-user 2008-0120 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|26 00 00 00 7F 00 80 00 80 00 04 41 64 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17310 SPECIFIC-THREATS Microsoft Powerpoint Viewer Memory Allocation Code Execution 19389 attempted-user 2006-3281 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:".|7B|3050F4D8-98B5-11CF-BB82-00AA00BDCE0B|7D|"; fast_pattern:only; nocase; pcre:"/\x252e\x252e\x255c[^\s\x2e]*?\x2e\x7B3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\x7d/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17316 WEB-CLIENT Microsoft Windows Folder GUID Code Execution attempt 20495 attempted-user 2006-5296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|F8 0F 04 00 00 00|"; byte_test:4,>,2,0,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17318 WEB-CLIENT Microsoft Powerpoint MCAtom remote code execution attempt 20495 attempted-user 2006-5296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|FA 0F 04 00 00 00|"; byte_test:4,>,2147483646,0,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17319 WEB-CLIENT Microsoft Powerpoint MCAtom remote code execution attempt 20495 attempted-user 2006-5296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|F9 0F 04 00 00 00|"; byte_test:4,>,2147483646,0,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17320 WEB-CLIENT Microsoft Powerpoint MCAtom remote code execution attempt 25092 attempted-admin 2007-6701 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,100,4,relative,dce; byte_test:4,<,133,-4,relative,dce; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00|"; within:46; distance:20; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 17321 NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters name overflow attempt support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5005400.html 16167 attempted-user 2006-0143 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,wmf.download; file_data; content:"|00 09 00 00 03|"; content:"|04 00 00 00|"; distance:0; pcre:"/^(\x01|\x02)\x00\x09\x00{2}\x03/m"; pcre:"/\x04\x00{3}(\x26|\xff)/Rm"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17330 WEB-CLIENT Microsoft Windows GRE WMF Handling Memory Read Exception attempt 14214 attempted-user 2005-1219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"rXYZ"; byte_test:4,>,60,4,relative; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; metadata:policy security-ips drop, service http; classtype:attempted-user; 17347 WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt 14214 attempted-user 2005-1219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"gXYZ"; content:"gXYZ"; within:4; distance:8; content:"bXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 17348 WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt 14214 attempted-user 2005-1219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"bXYZ"; content:"gXYZ"; within:4; distance:8; byte_test:4,>,60,4,relative; content:"bXYZ"; within:4; distance:8; metadata:policy security-ips drop, service http; classtype:attempted-user; 17349 WEB-CLIENT Microsoft Windows Color Management Module buffer overflow attempt web-application-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server, established; content:".cnt"; nocase; http_uri; pcre:"/\x2Ecnt([\?\x5c\x2f]|$)/smiU"; flowbits:set,MS_Help_content_file; flowbits:noalert; classtype:web-application-activity; 17364 WEB-CLIENT Microsoft Help Workshop CNT Help contents 22100 web-application-attack 2007-0352 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; flowbits:isset,MS_Help_content_file; content:"Content-Type: text/plain"; fast_pattern:only; file_data; pcre:"/[^\n]{513}/Rsi"; metadata:policy security-ips drop; classtype:web-application-attack; 17365 WEB-CLIENT Microsoft Help Workshop CNT Help contents buffer overflow attempt 22135 attempted-user 2007-0427 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_client,established; content:"HLP"; nocase; pcre:"/^\s*HLP\s*\x3d\s*[^\n]{257}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17366 WEB-CLIENT Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt 23382 attempted-user 2007-1912 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,from_server; content:"|3F 5F 03 00|"; depth:4; content:"TTLBTREE|00 2E 06 00 00 7C 62|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17374 SPECIFIC-THREATS Microsoft Windows HLP File Handling heap overflow attempt 28607 attempted-user 2008-1088 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|00 0B 00 00 00 CC E5 1A 00 41 41 41 41 00 00 00 00 03 02 01 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17382 SPECIFIC-THREATS Microsoft Project Invalid Memory Pointer Code Execution attempt 29158 attempted-user 2008-0119 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|00 00 03 68 1A 01 00 00 34 00 00 00 01 20 01 00|"; content:"|01 20 1D 01 00 00 02 20 1C 01 00 00 03 90 5A 05 00 00 00 78 00 78|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17383 SPECIFIC-THREATS Microsoft Publisher Object Handler Validation Code Execution attempted 24963 attempted-user 2006-4183 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|00 00 0A 00 00 00 00 00 00 00 00 00 00 80 00 80 20 20|"; within:18; metadata:policy security-ips drop, service http; classtype:attempted-user; 17408 WEB-CLIENT Microsoft DirectX Targa image file heap overflow attempt 12960 attempted-user 2005-0944 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"P|00|a|00|r|00|e|00|n|00|t|00|I|00|d|00|n|00|a|00|m|00|e|00 75 76|"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17413 SPECIFIC-THREATS Microsoft Jet DB Engine Buffer Overflow attempt 25282 attempted-user 2007-2224 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|2E|substringData"; pcre:"/\x2esubstringData\s*\x28[^\x2c]*\x2c\s*0x7(f|F){6}[6-9AaBbCcDdEeFf]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17421 WEB-CLIENT Microsoft OLE automation string manipulation overflow attempt misc-activity 2010-3332 tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any gid:3; classtype:misc-activity; detection_filter:track by_src, count 100, seconds 30; metadata: engine shared, soid 3|17428, service http, policy balanced-ips drop, policy security-ips drop; 17428 WEB-MISC Microsoft ASP.NET information disclosure attempt www.microsoft.com/technet/security/bulletin/MS10-070.mspx misc-activity 2010-3332 tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any gid:3; classtype:misc-activity; detection_filter:track by_src, count 100, seconds 30; metadata: engine shared, soid 3|17429, service http, policy balanced-ips drop, policy security-ips drop; 17429 WEB-MISC Microsoft ASP.NET information disclosure attempt www.microsoft.com/technet/security/bulletin/MS10-070.mspx 15065 protocol-command-decode 2005-2120 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:11; dce_stub_data; content:"|5C 00 5C 00|"; distance:16; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 17436 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt www.microsoft.com/technet/security/bulletin/ms05-047.mspx 15065 protocol-command-decode 2005-2120 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:11; dce_stub_data; content:"|5C 5C|"; distance:16; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 17438 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt www.microsoft.com/technet/security/bulletin/ms05-047.mspx 15063 attempted-user 2005-2128 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"RIFF"; content:"strn"; distance:0; nocase; byte_test:4,>,128,0,relative, little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17443 WEB-CLIENT Microsoft DirectShow AVI decoder buffer overflow attempt 26396 attempted-user 2007-5755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FA3662C3-B8E8-11D6-A667-0010B556D978"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA3662C3-B8E8-11D6-A667-0010B556D978\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetMetadata)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FA3662C3-B8E8-11D6-A667-0010B556D978\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetMetadata))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17464 WEB-ACTIVEX AOL Radio AmpX ActiveX clsid access 26396 attempted-user 2007-5755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|A|00|3|00|6|00|6|00|2|00|C|00|3|00|-|00|B|00|8|00|E|00|8|00|-|00|1|00|1|00|D|00|6|00|-|00|A|00|6|00|6|00|7|00|-|00|0|00|0|00|1|00|0|00|B|00|5|00|5|00|6|00|D|00|9|00|7|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00A\x003\x006\x006\x002\x00C\x003\x00-\x00B\x008\x00E\x008\x00-\x001\x001\x00D\x006\x00-\x00A\x006\x006\x007\x00-\x000\x000\x001\x000\x00B\x005\x005\x006\x00D\x009\x007\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17465 WEB-ACTIVEX AOL Radio AmpX ActiveX clsid unicode access 25945 attempted-user 2007-3896 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document|2E|location|2E|replace"; content:"|2E|exe"; distance:0; nocase; content:"|2E|pdf"; distance:0; nocase; pcre:"/document\x2Elocation\x2Ereplace\s*\x28\s*(\x22|\x27)[a-z0-9]+\.exe\?[a-z0-9]+\.pdf/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17467 WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-3896 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"launchURL"; nocase; content:"http|3A|"; distance:0; pcre:"/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri"; metadata:policy security-ips alert, service http; classtype:attempted-user; 17468 WEB-CLIENT Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 17325 attempted-user 2006-1591 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|80 80 00 00 C0 C0 C0 00 80 80 80 00 00 00 FF 00 00 FF 00 00 00 FF FF 00 FF 00 00 00 FF 00 FF 00 FF FF 00 00 FF FF FF 00 00 41 41 41 41 41 41 41|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17489 SPECIFIC-THREATS Microsoft Windows Help File Heap Buffer Overflow attempt 17926 attempted-admin 2006-2297 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|74 03 9E 02 4A 02 9C 01 12 01 8B 00 3E 00 25 00 00 00 02 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-admin; 17490 SPECIFIC-THREATS Microsoft Windows itss.dll CHM File Handling Heap Corruption attempt 20226 attempted-user 2006-4694 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 36 00 00 00 0F 00 11 05 2E 00 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17496 WEB-CLIENT Microsoft Powerpoint malformed NamedShows record code execution attempt 20226 attempted-user 2006-4694 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|0F 00 10 04 1E 02 00 00 EB 0A 11 06 2E 02 00 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17497 WEB-CLIENT Microsoft Powerpoint malformed NamedShows record code execution attempt 21688 suspicious-filename-detect 2006-6696 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".application"; nocase; http_uri; flowbits:set,net.application; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17508 WEB-MISC Microsoft .NET Application download attempt 21688 suspicious-filename-detect 2006-6696 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; flowbits:isset,net.application; content:".manifest"; nocase; http_uri; flowbits:set,manifest.application; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17509 WEB-MISC Microsoft .NET Manifest download attempt 21688 suspicious-filename-detect 2006-6696 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; flowbits:isset,manifest.application; content:".deploy"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17510 WEB-MISC Microsoft .NET Deploy download attempt attempted-user 2008-3558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"new ActiveXObject|28|"; nocase; content:"unescape|28|"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17571 WEB-ACTIVEX obfuscated instantiation of ActiveX object - likely malicious 32155 attempted-recon 2008-4029 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<|21|DOCTYPE "; nocase; content:"SYSTEM"; distance:0; nocase; content:".parseError"; distance:0; fast_pattern; nocase; pcre:"/<\x21DOCTYPE\s+[^>]*?SYSTEM[^>]*?>.*?\x2EparseError/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-recon; 17572 WEB-CLIENT Microsoft XML Core Services cross-site information disclosure attempt www.microsoft.com/technet/security/Bulletin/MS08-069.mspx 33148 attempted-user 2008-4827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"24e04ebf-014d-471f-930e-7654b1193ba9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24e04ebf-014d-471f-930e-7654b1193ba9\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddTab)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24e04ebf-014d-471f-930e-7654b1193ba9\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddTab))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17575 WEB-ACTIVEX SizerOne 2 ActiveX clsid access 33148 attempted-user 2008-4827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|4|00|e|00|0|00|4|00|e|00|b|00|f|00|-|00|0|00|1|00|4|00|d|00|-|00|4|00|7|00|1|00|f|00|-|00|9|00|3|00|0|00|e|00|-|00|7|00|6|00|5|00|4|00|b|00|1|00|1|00|9|00|3|00|b|00|a|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x004\x00e\x000\x004\x00e\x00b\x00f\x00-\x000\x001\x004\x00d\x00-\x004\x007\x001\x00f\x00-\x009\x003\x000\x00e\x00-\x007\x006\x005\x004\x00b\x001\x001\x009\x003\x00b\x00a\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17576 WEB-ACTIVEX SizerOne 2 ActiveX clsid unicode access 12175 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CcErrDsp.ErrorDisplay"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22CcErrDsp\.ErrorDisplay(\.\d)?\x22|\x27CcErrDsp\.ErrorDisplay(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DisplayError\s*|.*(?P=v)\s*\.\s*DisplayError\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CcErrDsp\.ErrorDisplay(\.\d)?\x22|\x27CcErrDsp\.ErrorDisplay(\.\d)?\x27)\s*\)(\s*\.\s*DisplayError\s*|.*(?P=n)\s*\.\s*DisplayError\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17582 WEB-ACTIVEX Symantec Norton AntiVirus CcErrDisp ActiveX function call access 12175 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|c|00|E|00|r|00|r|00|D|00|s|00|p|00|.|00|E|00|r|00|r|00|o|00|r|00|D|00|i|00|s|00|p|00|l|00|a|00|y|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q1>\x22|\x27|)C\x00c\x00E\x00r\x00r\x00D\x00s\x00p\x00.\x00E\x00r\x00r\x00o\x00r\x00D\x00i\x00s\x00p\x00l\x00a\x00y\x00(\.\x00\d\x00)?(?P=q1)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q2>\x22|\x27|)C\x00c\x00E\x00r\x00r\x00D\x00s\x00p\x00.\x00E\x00r\x00r\x00o\x00r\x00D\x00i\x00s\x00p\x00l\x00a\x00y\x00(\.\x00\d\x00)?(?P=q2)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17583 WEB-ACTIVEX Symantec Norton AntiVirus CcErrDisp ActiveX function call unicode access 21155 attempted-user 2006-6027 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; content:"onClick=|22|checkversion|28|fn.value|29 22|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17587 SPECIFIC-THREATS AcroPDF.PDF ActiveX exploit attempt www.adobe.com/support/security/advisories/apsa06-02.html 19636 attempted-user 2006-4495 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4682C82A-B2FF-11D0-95A8-00A0C92B77A9"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17592 WEB-ACTIVEX Microsoft MyInfo.dll ActiveX clsid access www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 19636 attempted-user 2006-4495 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8E71888A-423F-11D2-876E-00A0C9082467"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17593 WEB-ACTIVEX Microsoft msdxm.ocx ActiveX clsid access www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 19636 attempted-user 2006-4495 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"606EF130-9852-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17594 WEB-ACTIVEX Microsoft creator.dll 1 ActiveX clsid access www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 19636 attempted-user 2006-4495 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F849164D-9863-11D3-97C6-0060084856D4"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17595 WEB-ACTIVEX Microsoft creator.dll 2 ActiveX clsid access www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 19636 attempted-user 2006-4495 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17596 WEB-ACTIVEX Microsoft ciodm.dll ActiveX clsid access www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A009C90D-814B-11D3-BA3E-080009D22344"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Execute)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A009C90D-814B-11D3-BA3E-080009D22344\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Execute))/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17614 WEB-ACTIVEX SAP GUI SAPBExCommonResources ActiveX clsid access securitytracker.com/alerts/2010/Mar/1023760.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|0|00|0|00|9|00|C|00|9|00|0|00|D|00|-|00|8|00|1|00|4|00|B|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|A|00|3|00|E|00|-|00|0|00|8|00|0|00|0|00|0|00|9|00|D|00|2|00|2|00|3|00|4|00|4|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x000\x000\x009\x00C\x009\x000\x00D\x00-\x008\x001\x004\x00B\x00-\x001\x001\x00D\x003\x00-\x00B\x00A\x003\x00E\x00-\x000\x008\x000\x000\x000\x009\x00D\x002\x002\x003\x004\x004\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17615 WEB-ACTIVEX SAP GUI SAPBExCommonResources ActiveX clsid unicode access securitytracker.com/alerts/2010/Mar/1023760.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SAPBExCommonResources.BExGlobal"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Execute\s*|.*(?P=v)\s*\.\s*Execute\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SAPBExCommonResources\.BExGlobal(\.\d)?\x22|\x27SAPBExCommonResources\.BExGlobal(\.\d)?\x27)\s*\)(\s*\.\s*Execute\s*|.*(?P=n)\s*\.\s*Execute\s*)/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17616 WEB-ACTIVEX SAP GUI SAPBExCommonResources ActiveX function call access securitytracker.com/alerts/2010/Mar/1023760.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|A|00|P|00|B|00|E|00|x|00|C|00|o|00|m|00|m|00|o|00|n|00|R|00|e|00|s|00|o|00|u|00|r|00|c|00|e|00|s|00|.|00|B|00|E|00|x|00|G|00|l|00|o|00|b|00|a|00|l|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)S\x00A\x00P\x00B\x00E\x00x\x00C\x00o\x00m\x00m\x00o\x00n\x00R\x00e\x00s\x00o\x00u\x00r\x00c\x00e\x00s\x00.\x00B\x00E\x00x\x00G\x00l\x00o\x00b\x00a\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)S\x00A\x00P\x00B\x00E\x00x\x00C\x00o\x00m\x00m\x00o\x00n\x00R\x00e\x00s\x00o\x00u\x00r\x00c\x00e\x00s\x00.\x00B\x00E\x00x\x00G\x00l\x00o\x00b\x00a\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17617 WEB-ACTIVEX SAP GUI SAPBExCommonResources ActiveX function call unicode access securitytracker.com/alerts/2010/Mar/1023760.html 15352 attempted-user 2005-2123 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|C5 00 00 00 04 00 00 80 8D 00 83 00 8D 00 84 00 AF 01 10 01 AF 01 0F 01|"; fast_pattern:only; metadata:policy security-ips drop; classtype:attempted-user; 17618 SPECIFIC-THREATS Microsoft Windows hraphics engine EMF rendering vulnerability 16194 attempted-user 2006-0010 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|53 51 86 A4 50 1D CD 50 3B D5 D0 6C E3 D5 19 36 A5 55 34 63 7A 7B B1 04 1D E7 EF 6A 69 49 8A 54 D1 73 FD 0C F7 02 5E FA 70 4E E8 68 94 FF 14 1E DC 80 7B 58 96 D0 4A 7C DF F0 5C F0 50 88 73 8D|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17626 SPECIFIC-THREATS Microsoft Windows embedded web font handling buffer overflow attempt 33118 attempted-recon 2009-0022 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|FF|SMB|75|"; depth:5; offset:4; byte_jump:1,27,relative,multiplier 2; byte_jump:2,-2,relative,little; content:"|5C 00 5C 00|"; within:4; distance:2; content:"|5C 00 00 00|"; distance:0; pcre:"/\x5c\x00\x5c\x00[^\x5c]*\x5c\x00\x00\x00/"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-recon; 17639 NETBIOS Samba Root File System access bypass attempt 34834 attempted-user 2009-0223 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.ppt; content:"|FF 03 00 00 00 60 16 8F 10 00 00 00 00 5F 07 90 08 28 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17646 WEB-CLIENT Microsoft Powerpoint Legacy file format picture object code execution attempt 27756 attempted-user 2008-5711 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; fast_pattern:only; nocase; content:"unescape|28 22 25|u"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17654 SPECIFIC-THREATS Facebook Photo Uploader ActiveX exploit attempt www.microsoft.com/technet/security/advisory/953839.mspx 35970 attempted-user 2009-1546 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.avi; metadata: engine shared, soid 3|17694, service http, policy balanced-ips drop, policy security-ips drop; 17694 WEB-CLIENT Microsoft Windows AVI file chunk length integer overflow attempt 34833 attempted-user 2009-0220 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|17695, service http, policy balanced-ips drop, policy security-ips drop; 17695 WEB-CLIENT Microsoft PowerPoint paragraph format array inner header overflow attempt 15460 attempted-dos 2005-3644 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:48; dce_stub_data; byte_test:4,>,65534,70,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-dos; 17702 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrDfsCreateExitPoint dos attempt www.microsoft.com/technet/security/advisory/911052.mspx attempted-user 2007-0064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C|"; content:"|91 07 DC B7 B7 A9 CF 11 8E E6 00 C0 0C 20 53 65|"; content:"|E0 7D 90 35 15 E4 CF 11 A9 17 00 80 5F 5C 44 2B|"; byte_test:2,>,0xffc6,52,relative,little; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17711 WEB-CLIENT Microsoft Windows ASF parsing memory corruption attempt www.microsoft.com/technet/security/bulletin/ms07-068.mspx attempted-admin 2009-1924 tcp $EXTERNAL_NET any -> $HOME_NET 42 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17721, service netbios-ns, policy balanced-ips drop, policy security-ips drop; 17721 EXPLOIT WINS replication inform2 request memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-039.mspx attempted-user 2010-0231 tcp $EXTERNAL_NET any -> $HOME_NET 445 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17723, service netbios-ns, policy balanced-ips drop, policy security-ips drop; 17723 NETBIOS possible SMB replay attempt - overlapping encryption keys detected www.microsoft.com/technet/security/bulletin/MS10-012.mspx attempted-user 2007-0099 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"getElementById"; nocase; content:"setTimeout"; fast_pattern; nocase; pcre:"/\x2esrc\s*=\s*[\x22\x27]([^\x2e]+)\x2exml\x3f[\x22\x27]\s*\x2b.*\x2esrc\s*=\s*[\x22\x27]\1\x2exml\x3f[^\x22\x27]+[\x22\x27]\s\x2b/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17730 WEB-CLIENT Microsoft XML Core Services MIME Viewer memory corruption attempt www.microsoft.com/technet/security/bulletin/MS08-069.mspx 15067 attempted-user 2005-1987 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"FromAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:policy security-ips drop; classtype:attempted-user; 17737 SPECIFIC-THREATS Microsoft collaboration data objects buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"|FF|SMB2"; depth:5; offset:4; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; 17745 NETBIOS SMB TRANS2 Find_First2 request attempt attempted-admin 2005-0045 tcp $EXTERNAL_NET 445 -> $HOME_NET any flow:to_client,established; flowbits:isset,smb.trans2.findfirst2; content:"|FF|SMB2"; depth:5; offset:4; flowbits:unset,smb.trans2.findfirst2; byte_jump:1,27,relative,multiplier 2; byte_test:2,>,1000,0,relative,little; byte_test:4,>,300,75,relative,little; metadata:policy security-ips drop; classtype:attempted-admin; 17746 NETBIOS SMB client TRANS response Find_First2 filesize overflow attempt www.microsoft.com/technet/security/bulletin/MS05-011.mspx 34205 misc-attack 2009-1072 tcp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 06 00 00 00|"; byte_test:1,>,2,0,relative; byte_test:1,<,5,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:misc-attack; 17749 RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt attempted-user 2010-3329 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17770, service http, policy balanced-ips drop, policy security-ips drop; 17770 WEB-ACTIVEX Microsoft HtmlDlgHelper ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS10-071.mspx attempted-user 2010-3331 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17772, service http, policy security-ips drop; 17772 WEB-ACTIVEX Microsoft Scriptlet Component ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS10-071.mspx attempted-user 2010-3228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.exe; metadata: engine shared, soid 3|18064, service http, policy balanced-ips drop, policy security-ips drop; 18064 EXPLOIT Microsoft .NET framework EntityObject execution attempt www.microsoft.com/technet/security/bulletin/MS10-077.mspx attempted-user 2010-2572 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|18065, service http, policy balanced-ips drop, policy security-ips drop; 18065 EXPLOIT Microsoft PowerPoint converter bad indirection remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-088 attempted-user 2010-2573 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|18066, service http, policy balanced-ips drop, policy security-ips drop; 18066 WEB-CLIENT Microsoft PowerPoint integer underflow heap corruption attempt www.microsoft.com/technet/security/bulletin/MS10-088 attempted-user 2010-3337 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18070, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 18070 NETBIOS pptimpconv.dll access www.microsoft.com/technet/security/bulletin/MS10-089.mspx attempted-user 2010-2733 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18073, policy security-ips drop; 18073 WEB-MISC Microsoft Forefront UAG arbitrary embedded scripting attempt www.microsoft.com/technet/security/bulletin/MS10-089.mspx attempted-user 2009-3732 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B94C2238-346E-4C5E-9B36-8CC627F35574\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B94C2238-346E-4C5E-9B36-8CC627F35574\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(connect))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 18097 WEB-ACTIVEX VMWare Remote Console Plug-In ActiveX clsid access 21108 attempted-user 2006-5198 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"W|00|Z|00|F|00|I|00|L|00|E|00|V|00|I|00|E|00|W|00|.|00|F|00|i|00|l|00|e|00|V|00|i|00|e|00|w|00|C|00|t|00|r|00|l|00|.|00|6|00|1|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)W\x00Z\x00F\x00I\x00L\x00E\x00V\x00I\x00E\x00W\x00.\x00F\x00i\x00l\x00e\x00V\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00.\x006\x001\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)W\x00Z\x00F\x00I\x00L\x00E\x00V\x00I\x00E\x00W\x00.\x00F\x00i\x00l\x00e\x00V\x00i\x00e\x00w\x00C\x00t\x00r\x00l\x00.\x006\x001\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 18169 WEB-ACTIVEX WinZip FileView 6.1 ActiveX function call unicode access www.winzip.com/wz7245.htm 24198 protocol-command-decode 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"^t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; within:20; distance:48; content:"|05 00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 18189 NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt 24198 protocol-command-decode 2007-2446 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"^t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; within:20; distance:48; content:"|04 00|"; metadata:policy security-ips drop, service netbios-dgm; classtype:protocol-command-decode; 18190 NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt 24198 protocol-command-decode 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"_t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; within:20; distance:68; content:"|05 00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 18191 NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt 24198 protocol-command-decode 2007-2446 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"_t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; within:20; distance:68; content:"|04 00|"; metadata:policy security-ips drop, service netbios-dgm; classtype:protocol-command-decode; 18192 NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt attempted-user 2010-3340 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18197, service http, policy security-ips drop; 18197 WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-090.mspx attempted-user 2010-3340 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18198, service http, policy security-ips drop; 18198 WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-090.mspx attempted-user 2010-3340 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18199, service http, policy security-ips drop; 18199 WEB-ACTIVEX Microsoft COleSite ActiveX memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-090.mspx attempted-user 2010-3144 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18203, service netbios-ssn, policy security-ips drop; 18203 NETBIOS Windows Address Book smmscrpt.dll malicious DLL load www.microsoft.com/technet/security/bulletin/MS10-097.mspx attempted-user 2010-3147 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18206, service netbios-ssn, policy security-ips drop; 18206 NETBIOS Windows Address Book wab32res.dll malicious DLL load www.microsoft.com/technet/security/bulletin/MS10-096.mspx attempted-user 2010-3147 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18207, service netbios-ssn, policy security-ips drop; 18207 NETBIOS Windows Address Book msoeres32.dll malicious DLL load www.microsoft.com/technet/security/bulletin/MS10-096.mspx attempted-user 2010-3966 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18209, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 18209 NETBIOS Windows 7 Home peerdist.dll dll-load exploit attempt www.microsoft.com/technet/security/bulletin/MS10-095.mspx attempted-user 2010-3967 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18210, service http, policy balanced-ips drop, policy security-ips drop; 18210 WEB-CLIENT Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt www.microsoft.com/technet/security/bulletin/MS10-093.mspx attempted-user 2010-3967 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18211, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 18211 NETBIOS Microsoft Movie Maker hhctrl.ocx dll-load exploit attempt www.microsoft.com/technet/security/bulletin/MS10-093.mspx attempted-user 2010-2742 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18215, service netbios-ssn, policy balanced-ips drop, policy security-ips alert; 18215 NETBIOS NETAPI RPC interface reboot attempt www.microsoft.com/technet/security/bulletin/MS10-101.mspx attempted-user 2010-3957 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18219, policy security-ips drop; 18219 WEB-CLIENT Microsoft Windows ATMFD font driver remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-091.mspx attempted-user 2010-3959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18220, policy security-ips drop; 18220 WEB-CLIENT Microsoft Windows ATMFD font driver malformed character glyph remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-091.mspx attempted-user 2010-3954 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pub; metadata: engine shared, soid 3|18230, service http, policy balanced-ips drop, policy security-ips drop; 18230 SPECIFIC-THREATS Microsoft Publisher memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-103.mspx attempted-user 2010-3955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pub; metadata: engine shared, soid 3|18231, service http, policy balanced-ips drop, policy security-ips drop; 18231 WEB-CLIENT Microsoft Publisher oversized oti length attempt www.microsoft.com/technet/security/bulletin/MS10-103.mspx attempted-admin 2010-3964 tcp $EXTERNAL_NET any -> $HOME_NET 8082 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|18238, service http, policy balanced-ips drop, policy security-ips drop; 18238 EXPLOIT Microsoft Sharepoint document conversion remote code excution attempt www.microsoft.com/technet/security/bulletin/MS10-104.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18241 WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX clsid access secunia.com/advisories/42693/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AddContextRef"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AddContextRef(\.\d)?\x22|\x27AddContextRef(\.\d)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18242 WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access secunia.com/advisories/42693/ attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FAXCOVER-VER005w"; nocase; content:"|87 00 00 00 4C 17 00 00 00 00 00 00 52 03 00 00|"; within:100; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18246 WEB-CLIENT Microsoft Windows Fax Services Cover Page Editor overflow attempt www.vupen.com/english/advisories/2010/3327 6665 rpc-portmap-decode 2003-0027 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy security-ips drop, service sunrpc; classtype:rpc-portmap-decode; 2005 RPC portmap kcms_server request UDP www.kb.cert.org/vuls/id/850785 6665 misc-attack 2003-0027 tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service sunrpc; classtype:misc-attack; 2007 RPC kcms_server directory traversal attempt www.kb.cert.org/vuls/id/850785 protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 2103 NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt successful-admin tcp $HOME_NET !21:23 -> $EXTERNAL_NET any flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-admin; 2123 ATTACK-RESPONSES Microsoft cmd.exe banner 11633 attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-recon; 2176 NETBIOS SMB startup folder access 8458 attempted-admin 2003-0715 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-admin; 2252 NETBIOS SMB-DS DCERPC Remote Activation bind attempt 11835 www.microsoft.com/technet/security/bulletin/MS03-039.mspx misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:policy security-ips drop, service sunrpc; classtype:misc-attack; 2255 RPC sadmind query with root credentials attempt TCP misc-attack udp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:misc-attack; 2256 RPC sadmind query with root credentials attempt UDP 8826 attempted-admin 2003-0717 udp $EXTERNAL_NET any -> $HOME_NET 135 content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 2257 NETBIOS DCERPC Messenger Service buffer overflow attempt 11890 www.microsoft.com/technet/security/bulletin/MS03-043.mspx 8826 attempted-admin 2003-0717 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 2258 NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt 11890 www.microsoft.com/technet/security/bulletin/MS03-043.mspx 21220 protocol-command-decode 2006-6114 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 2349 NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 2401 NETBIOS SMB Session Setup andx username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 2403 NETBIOS SMB Session Setup unicode username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9707 attempted-user 2007-5746 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:from_client,established; content:".emf"; http_uri; flowbits:set,http.emf; flowbits:noalert; metadata:policy security-ips drop; classtype:attempted-user; 2435 WEB-CLIENT Microsoft emf metafile access www.microsoft.com/technet/security/bulletin/MS06-001.mspx attempted-user tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:from_client,established; content:".wmf"; nocase; http_uri; flowbits:set, wmf.download; flowbits:noalert; metadata:service http; classtype:attempted-user; 2436 WEB-CLIENT Microsoft wmf metafile access 10108 attempted-admin 2003-0533 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 2508 NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10108 attempted-admin 2003-0533 udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 2511 NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:24; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 2942 NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3018 NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3019 NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3020 NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3021 NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3022 NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3023 NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3024 NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3025 NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3026 NETBIOS SMB NT Trans NT CREATE SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3027 NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3028 NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3029 NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3030 NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3031 NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3032 NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3033 NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3034 NETBIOS SMB NT Trans NT CREATE DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3035 NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3036 NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3037 NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3038 NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3039 NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt attempted-user 2007-1765 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 3079 WEB-CLIENT Microsoft ANI file parsing overflow www.microsoft.com/technet/security/bulletin/MS07-017.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3135 NETBIOS SMB Trans2 QUERY_FILE_INFO attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3136 NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3137 NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy security-ips drop; classtype:protocol-command-decode; 3138 NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3139 NETBIOS SMB Trans2 FIND_FIRST2 attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3140 NETBIOS SMB Trans2 FIND_FIRST2 andx attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3141 NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3142 NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt 12484 protocol-command-decode 2005-0045 tcp $HOME_NET 139 -> $EXTERNAL_NET any flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3143 NETBIOS SMB Trans2 FIND_FIRST2 command response overflow attempt www.microsoft.com/technet/security/Bulletin/MS05-011.mspx 12484 protocol-command-decode 2005-0045 tcp $HOME_NET 139 -> $EXTERNAL_NET any flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3144 NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt www.microsoft.com/technet/security/Bulletin/MS05-011.mspx 12484 protocol-command-decode 2005-0045 tcp $HOME_NET 445 -> $EXTERNAL_NET any flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy security-ips drop; classtype:protocol-command-decode; 3146 NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt www.microsoft.com/technet/security/Bulletin/MS05-011.mspx protocol-command-decode 2003-0715 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 3158 NETBIOS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt www.microsoft.com/technet/security/bulletin/ms03-039.mspx protocol-command-decode 2003-0715 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 3159 NETBIOS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt www.microsoft.com/technet/security/bulletin/ms03-039.mspx attempted-admin 2005-0059 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 3171 NETBIOS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt www.microsoft.com/technet/security/Bulletin/MS05-017.mspx 8205 protocol-command-decode 2003-0352 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 3397 NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt www.microsoft.com/technet/security/bulletin/MS03-026.asp 8205 protocol-command-decode 2003-0352 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; distance:0; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 3398 NETBIOS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt www.microsoft.com/technet/security/bulletin/MS03-026.asp 8205 attempted-admin 2003-0715 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 3409 NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt www.microsoft.com/technet/security/bulletin/MS03-039.mspx 13132 attempted-user 2005-0063 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isnotset,http.hta; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; nocase; content:"|D8 F4|P0|B5 98 CF 11 BB 82 00 AA 00 BD CE 0B|"; within:16; distance:60; metadata:policy security-ips drop; classtype:attempted-user; 3552 WEB-CLIENT OLE32 microsoft MSHTA masquerade attempt www.microsoft.com/technet/security/bulletin/ms05-016.mspx 14513 protocol-command-decode 2005-1983 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:54; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 3967 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt www.microsoft.com/technet/security/bulletin/ms05-039.mspx 14513 protocol-command-decode 2005-1983 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:53; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,32,16,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 4072 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_DetectResourceConflict attempt www.microsoft.com/technet/security/bulletin/ms05-039.mspx 8833 attempted-user 2003-0662 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"4B106874-DD36-11D0-8B44-00A024DD9EFF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4B106874-DD36-11D0-8B44-00A024DD9EFF/si"; metadata:policy security-ips drop; classtype:attempted-user; 4145 WEB-ACTIVEX Windows Trouble Shooter ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS03-042.mspx 14515 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"DE4735F3-7532-4895-93DC-9A10C4257173"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DE4735F3-7532-4895-93DC-9A10C4257173/si"; metadata:policy security-ips drop; classtype:attempted-user; 4146 WEB-ACTIVEX Share Point Portal Services Log Sink ActiveX Object Access support.microsoft.com/default.aspx?scid=kb\;en-us\;KB837253 5558 attempted-user 2002-0647 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"99B42120-6EC7-11CF-A6C7-00AA00A47DD2"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99B42120-6EC7-11CF-A6C7-00AA00A47DD2/si"; metadata:policy security-ips drop; classtype:attempted-user; 4147 WEB-ACTIVEX ActiveLabel ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-047.mspx 1474 attempted-user 2009-2519 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2D360201-FFF5-11d1-8D03-00A0C959BC0A"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2D360201-FFF5-11d1-8D03-00A0C959BC0A\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(LoadURL)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2D360201-FFF5-11d1-8D03-00A0C959BC0A\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(LoadURL))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 4148 WEB-ACTIVEX DHTML Editing ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS99-011.mspx 7384 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0CF32AA1-7571-11D0-93C4-00AA00A3DDEA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CF32AA1-7571-11D0-93C4-00AA00A3DDEA/si"; metadata:policy security-ips drop; classtype:attempted-user; 4151 WEB-ACTIVEX System Monitor Source Properties ActiveX Object Access 619 attempted-user 1999-0669 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"06A7EC63-4E21-11D0-A112-00A0C90543AA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06A7EC63-4E21-11D0-A112-00A0C90543AA/si"; metadata:policy security-ips drop; classtype:attempted-user; 4153 WEB-ACTIVEX Eyedog ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-032.mspx 775 attempted-user 2000-0329 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; metadata:policy security-ips drop; classtype:attempted-user; 4154 WEB-ACTIVEX Active Setup ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-048.mspx 1718 attempted-user 2001-0149 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"25336921-03F9-11CF-8FD0-00AA00686F13"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25336921-03F9-11CF-8FD0-00AA00686F13/si"; metadata:policy security-ips drop; classtype:attempted-user; 4155 WEB-ACTIVEX htmlfile ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS01-015.mspx 668 attempted-user 1999-1484 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8F0F5093-0A70-11D0-BCA9-00C04FD85AA6/si"; metadata:policy security-ips drop; classtype:attempted-user; 4157 WEB-ACTIVEX MSN Setup BBS 4.71.0.10 ActiveX Object Access 5094 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00022613-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00022613-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4159 WEB-ACTIVEX Multimedia File Property Sheet ActiveX Object Access 8454 attempted-user 2003-0530 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"167701E3-FDCF-11D0-A48E-006097C549FF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*167701E3-FDCF-11D0-A48E-006097C549FF/si"; metadata:policy security-ips drop; classtype:attempted-user; 4160 WEB-ACTIVEX Microsoft Windows Reporting Tool ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS03-032.mspx 13946 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"FF2BBC4A-6881-4294-BE0C-17535B1FCCFA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FF2BBC4A-6881-4294-BE0C-17535B1FCCFA/si"; metadata:policy security-ips drop; classtype:attempted-user; 4161 WEB-ACTIVEX DigWebX MSN ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx 13946 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"72770C4F-967D-4517-982B-92D6B9015649"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72770C4F-967D-4517-982B-92D6B9015649/si"; metadata:policy security-ips drop; classtype:attempted-user; 4162 WEB-ACTIVEX DigWebX MSN ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx 13946 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0519F3C1-0ED3-4EF1-98F5-CC3FB10218C7/si"; metadata:policy security-ips drop; classtype:attempted-user; 4163 WEB-ACTIVEX DigWebX MSN ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx 13946 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13FA0C3E-6B1C-4D8B-88CD-6DA8E1CA7653/si"; metadata:policy security-ips drop; classtype:attempted-user; 4164 WEB-ACTIVEX DigWebX MSN ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx 12477 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"D4A97620-8E8F-11CF-93CD-00AA00C08FDF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D4A97620-8E8F-11CF-93CD-00AA00C08FDF/si"; metadata:policy security-ips drop; classtype:attempted-user; 4165 WEB-ACTIVEX Image Control 1.0 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-014.mspx 11367 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E5D419D6-A846-4514-9FAD-97E826C84822"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E5D419D6-A846-4514-9FAD-97E826C84822\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 4167 WEB-ACTIVEX MSN Heartbeat ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-069.mspx 9335 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; metadata:policy security-ips drop; classtype:attempted-user; 4168 WEB-ACTIVEX Shell Automation Service ActiveX Object Access 671 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"50E5E3D1-C07E-11D0-B9FD-00A0249F6B00"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50E5E3D1-C07E-11D0-B9FD-00A0249F6B00/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 4171 WEB-ACTIVEX Registration Wizard ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 4172 WEB-ACTIVEX Microsoft Agent v1.5 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"F107317A-A488-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F107317A-A488-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 4173 WEB-ACTIVEX MsnPUpld ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx 8008 attempted-user 2003-0470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; metadata:policy security-ips drop; classtype:attempted-user; 4174 WEB-ACTIVEX Symantec RuFSI registry Information Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS03-048.mspx 5489 attempted-user 2002-0975 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"970C7E08-05A7-11D0-89AA-00A0C9054129"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*970C7E08-05A7-11D0-89AA-00A0C9054129/si"; metadata:policy security-ips drop; classtype:attempted-user; 4179 WEB-ACTIVEX DirectX Files Viewer ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-066.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"84926CA0-2941-101C-816F-0E6013114B7F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*84926CA0-2941-101C-816F-0E6013114B7F/si"; metadata:policy security-ips drop; classtype:attempted-user; 4180 WEB-ACTIVEX Kodak Image Scan Control ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx attempted-user 2002-0699 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"80CB7887-20DE-11D2-8D5C-00C04FC29D45"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80CB7887-20DE-11D2-8D5C-00C04FC29D45/si"; metadata:policy security-ips drop; classtype:attempted-user; 4181 WEB-ACTIVEX Smartcard Enrollment ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-048.mspx 4707 attempted-user 2002-0155 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"9088E688-063A-4806-A3DB-6522712FC061"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9088E688-063A-4806-A3DB-6522712FC061/si"; metadata:policy security-ips drop; classtype:attempted-user; 4182 WEB-ACTIVEX MSN Chat v4.5, 4.6 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-022.mspx 13953 attempted-user 2005-1208 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"41B23C28-488E-4e5C-ACE2-BB0BBABE99E8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41B23C28-488E-4e5C-ACE2-BB0BBABE99E8/si"; metadata:policy security-ips drop; classtype:attempted-user; 4183 WEB-ACTIVEX HTML Help ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-026.mspx 5593 attempted-user 2002-0699 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"43F8F289-7A20-11D0-8F06-00C04FC295E1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*43F8F289-7A20-11D0-8F06-00C04FC295E1/si"; metadata:policy security-ips drop; classtype:attempted-user; 4184 WEB-ACTIVEX Certificate Enrollment ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-048.mspx 5554 attempted-user 2002-0726 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"1fb464c8-09bb-4017-a2f5-eb742f04392f"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1fb464c8-09bb-4017-a2f5-eb742f04392f/si"; metadata:policy security-ips drop; classtype:attempted-user; 4185 WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-046.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6D940285-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940285-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4186 WEB-ACTIVEX Kodak Image Editing ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx 5554 attempted-user 2002-0726 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"791fa017-2de3-492e-acc5-53c67a2b94d0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*791fa017-2de3-492e-acc5-53c67a2b94d0/si"; metadata:policy security-ips drop; classtype:attempted-user; 4187 WEB-ACTIVEX Terminal Services Advanced Client ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-046.mspx 11448 attempted-user 2004-0936 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249/si"; metadata:policy security-ips drop; classtype:attempted-user; 4188 WEB-ACTIVEX RAV Online Scanner ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS03-048.mspx attempted-user 2003-0233 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"06DD38D3-D187-11CF-A80D-00C04FD74AD8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06DD38D3-D187-11CF-A80D-00C04FD74AD8/si"; metadata:policy security-ips drop; classtype:attempted-user; 4189 WEB-ACTIVEX Third-Party Plugin ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS03-015.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"E1A6B8A0-3603-101C-AC6E-040224009C02"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E1A6B8A0-3603-101C-AC6E-040224009C02/si"; metadata:policy security-ips drop; classtype:attempted-user; 4190 WEB-ACTIVEX Kodak Thumbnail Image ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"C3DFA998-A486-11d4-AA25-00C04F72DAEB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3DFA998-A486-11d4-AA25-00C04F72DAEB/si"; metadata:policy security-ips drop; classtype:attempted-user; 4191 WEB-ACTIVEX MsnPUpld ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx 669 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"130D7743-5F5A-11D1-B676-00A0C9697233"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*130D7743-5F5A-11D1-B676-00A0C9697233/si"; metadata:policy security-ips drop; classtype:attempted-user; 4192 WEB-ACTIVEX HHOpen ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6D940280-9F11-11CE-83FD-02608C3EC08A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D940280-9F11-11CE-83FD-02608C3EC08A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4193 WEB-ACTIVEX Kodak Image Editing ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx 13946 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"05E6787D-82D9-4D24-91DD-97FE8D199501"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05E6787D-82D9-4D24-91DD-97FE8D199501/si"; metadata:policy security-ips drop; classtype:attempted-user; 4197 WEB-ACTIVEX DigWebX MSN ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-025.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D/si"; metadata:policy security-ips drop; classtype:attempted-user; 4200 WEB-ACTIVEX Index Server Scope Administration ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"ECABAFC2-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC2-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4201 WEB-ACTIVEX Queued Components Recorder ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"283807B8-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B8-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; classtype:attempted-user; 4202 WEB-ACTIVEX DirectAnimation ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"250770F3-6AF2-11CF-A915-008029E31FCD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*250770F3-6AF2-11CF-A915-008029E31FCD/si"; metadata:policy security-ips drop; classtype:attempted-user; 4203 WEB-ACTIVEX Microsoft Marquee Control ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"D24D4453-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4453-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; classtype:attempted-user; 4204 WEB-ACTIVEX Microsoft DT PolyLine Control 2 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"03CB9467-FD9D-42A8-82F9-8615B4223E6E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03CB9467-FD9D-42A8-82F9-8615B4223E6E/si"; metadata:policy security-ips drop; classtype:attempted-user; 4205 WEB-ACTIVEX Microsoft Visual Database Tools Database Designer v7.0 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"598EBA02-B49A-11D2-A1C1-00609778EA66"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*598EBA02-B49A-11D2-A1C1-00609778EA66/si"; metadata:policy security-ips drop; classtype:attempted-user; 4206 WEB-ACTIVEX Microsoft MPEG-4 Video Decompressor Property Page ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"8FE7E181-BB96-11D2-A1CB-00609778EA66"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8FE7E181-BB96-11D2-A1CB-00609778EA66/si"; metadata:policy security-ips drop; classtype:attempted-user; 4207 WEB-ACTIVEX Microsoft MS Audio Decompressor Control Property Page ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"4CFB5280-800B-4367-848F-5A13EBF27F1D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CFB5280-800B-4367-848F-5A13EBF27F1D/si"; metadata:policy security-ips drop; classtype:attempted-user; 4208 WEB-ACTIVEX LexRefStEsObject Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"B3E0E785-BD78-4366-9560-B7DABE2723BE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B3E0E785-BD78-4366-9560-B7DABE2723BE/si"; metadata:policy security-ips drop; classtype:attempted-user; 4209 WEB-ACTIVEX LexRefStFrObject Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; classtype:attempted-user; 4211 WEB-ACTIVEX Microsoft DDS Library Shape Control ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"4FAAB301-CEF6-477C-9F58-F601039E9B78"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4FAAB301-CEF6-477C-9F58-F601039E9B78/si"; metadata:policy security-ips drop; classtype:attempted-user; 4212 WEB-ACTIVEX Microsoft DDS Generic Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6CBE0382-A879-4D2A-8EC3-1F2A43611BA8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6CBE0382-A879-4D2A-8EC3-1F2A43611BA8/si"; metadata:policy security-ips drop; classtype:attempted-user; 4213 WEB-ACTIVEX Microsoft DDS Picture Shape Control ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"F117831B-C052-11D1-B1C0-00C04FC2F3EF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F117831B-C052-11D1-B1C0-00C04FC2F3EF/si"; metadata:policy security-ips drop; classtype:attempted-user; 4214 WEB-ACTIVEX Microsoft TipGW Init ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"3050F667-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F667-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; classtype:attempted-user; 4215 WEB-ACTIVEX Microsoft HTML Popup Window ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"1AA06BA1-0E88-11D1-8391-00C04FBD7C09"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1AA06BA1-0E88-11D1-8391-00C04FBD7C09/si"; metadata:policy security-ips drop; classtype:attempted-user; 4216 WEB-ACTIVEX CLSID_CComAcctImport ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"7007ACCF-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACCF-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; classtype:attempted-user; 4219 WEB-ACTIVEX Microsoft Network Connections Tray ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"992CFFA0-F557-101A-88EC-00DD010CCC48"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*992CFFA0-F557-101A-88EC-00DD010CCC48/si"; metadata:policy security-ips drop; classtype:attempted-user; 4220 WEB-ACTIVEX Microsoft Network and Dial-Up Connections ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00020420-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020420-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4221 WEB-ACTIVEX Microsoft ProxyStub Dispatch ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"ABBA001B-3075-11D6-88A4-00B0D0200F88"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ABBA001B-3075-11D6-88A4-00B0D0200F88/si"; metadata:policy security-ips drop; classtype:attempted-user; 4223 WEB-ACTIVEX Microsoft OpenCable Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"CE292861-FC88-11D0-9E69-00C04FD7C15B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CE292861-FC88-11D0-9E69-00C04FD7C15B/si"; metadata:policy security-ips drop; classtype:attempted-user; 4224 WEB-ACTIVEX Microsoft VideoPort ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E227101-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227101-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4225 WEB-ACTIVEX Microsoft Repository ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"7057E952-BD1B-11D1-8919-00C04FC2C836"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7057E952-BD1B-11D1-8919-00C04FC2C836/si"; metadata:policy security-ips drop; classtype:attempted-user; 4226 WEB-ACTIVEX Microsoft DocHost User Interface Handler ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"7007ACC7-3202-11D1-AAD2-00805FC1270E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7007ACC7-3202-11D1-AAD2-00805FC1270E/si"; metadata:policy security-ips drop; classtype:attempted-user; 4227 WEB-ACTIVEX Microsoft Network Connections ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"4622AD11-FF23-11D0-8D34-00A0C90F2719"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4622AD11-FF23-11D0-8D34-00A0C90F2719/si"; metadata:policy security-ips drop; classtype:attempted-user; 4228 WEB-ACTIVEX Microsoft Windows Start Menu ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"98CB4060-D3E7-42A1-8D65-949D34EBFE14"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98CB4060-D3E7-42A1-8D65-949D34EBFE14/si"; metadata:policy security-ips drop; classtype:attempted-user; 4229 WEB-ACTIVEX MSAPP Export Support for Microsoft Access ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"47C6C527-6204-4F91-849D-66E234DEE015"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47C6C527-6204-4F91-849D-66E234DEE015/si"; metadata:policy security-ips drop; classtype:attempted-user; 4230 WEB-ACTIVEX Search Assistant UI ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"35CEC8A3-2BE6-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*35CEC8A3-2BE6-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; classtype:attempted-user; 4231 WEB-ACTIVEX Microsoft SysTray ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"730F6CDC-2C86-11D2-8773-92E220524153"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*730F6CDC-2C86-11D2-8773-92E220524153/si"; metadata:policy security-ips drop; classtype:attempted-user; 4232 WEB-ACTIVEX Microsoft SysTray Invoker ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"2C10A98F-D64F-43B4-BED6-DD0E1BF2074C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C10A98F-D64F-43B4-BED6-DD0E1BF2074C/si"; metadata:policy security-ips drop; classtype:attempted-user; 4233 WEB-ACTIVEX Microsoft Visual Database Tools Query Designer v7.0 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6F9F3481-84DD-4B14-B09C-6B4288ECCDE8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6F9F3481-84DD-4B14-B09C-6B4288ECCDE8/si"; metadata:policy security-ips drop; classtype:attempted-user; 4234 WEB-ACTIVEX Microsoft MSVTDGridCtrl7 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"F0975AFE-5C7F-11D2-8B74-00104B2AFB41"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F0975AFE-5C7F-11D2-8B74-00104B2AFB41/si"; metadata:policy security-ips drop; classtype:attempted-user; 4236 WEB-ACTIVEX WMI ASDI Extension ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx 15056 attempted-admin 2005-2119 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 4245 NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW overflow attempt www.microsoft.com/technet/security/bulletin/MS05-051.mspx 15056 attempted-admin 2005-2119 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 4246 NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt www.microsoft.com/technet/security/bulletin/MS05-051.mspx 15065 protocol-command-decode 2005-2120 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:11; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 4358 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceListSize attempt www.microsoft.com/technet/security/bulletin/ms05-047.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"009541A0-3B81-101C-92F3-040224009C02"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*009541A0-3B81-101C-92F3-040224009C02/si"; metadata:policy security-ips drop; classtype:attempted-user; 4648 WEB-CLIENT wang image admin activex object access www.microsoft.com/technet/security/bulletin/MS99-037.mspx 6666 attempted-admin 2003-0003 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:d3fbb514-0e3b-11cb-8fad-08002b1d29c3; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 4754 NETBIOS DCERPC NCACN-IP-TCP locator nsi_binding_lookup_begin overflow attempt www.microsoft.com/technet/security/bulletin/MS03-001.mspx 6666 attempted-admin 2003-0003 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:d3fbb514-0e3b-11cb-8fad-08002b1d29c3; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 4755 NETBIOS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt www.microsoft.com/technet/security/bulletin/MS03-001.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0002000D-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002000D-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4890 WEB-ACTIVEX IAVIStream & IAVIFile Proxy ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"ECABAFC0-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABAFC0-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4891 WEB-ACTIVEX cfw Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"ECABB0AB-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0AB-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4892 WEB-ACTIVEX MTSEvents Class ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"3050F4F5-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4F5-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; classtype:attempted-user; 4893 WEB-ACTIVEX Trident HTMLEditor ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00020421-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020421-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4894 WEB-ACTIVEX PSEnumVariant ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00020422-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020422-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4895 WEB-ACTIVEX PSTypeInfo ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00020423-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020423-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4896 WEB-ACTIVEX PSTypeLib ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00020424-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020424-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4897 WEB-ACTIVEX PSOAInterface ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00020425-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00020425-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4898 WEB-ACTIVEX PSTypeComp ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"DF0B3D60-548F-101B-8E65-08002B2BD119"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DF0B3D60-548F-101B-8E65-08002B2BD119/si"; metadata:policy security-ips drop; classtype:attempted-user; 4899 WEB-ACTIVEX ISupportErrorInfo Interface ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64/si"; metadata:policy security-ips drop; classtype:attempted-user; 4901 WEB-ACTIVEX VMR Allocator Presenter 9 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"51B4ABF3-748F-4E3B-A276-C828330E926A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*51B4ABF3-748F-4E3B-A276-C828330E926A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4902 WEB-ACTIVEX Video Mixing Renderer 9 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"E4979309-7A32-495E-8A92-7B014AAD4961"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E4979309-7A32-495E-8A92-7B014AAD4961/si"; metadata:policy security-ips drop; classtype:attempted-user; 4903 WEB-ACTIVEX VMR ImageSync 9 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"62EC9F22-5E30-11D2-97A1-00C04FB6DD9A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*62EC9F22-5E30-11D2-97A1-00C04FB6DD9A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4904 WEB-ACTIVEX Microsoft Repository Alias ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E2270FB-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E2270FB-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4905 WEB-ACTIVEX Microsoft Repository Object ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E227109-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E227109-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4906 WEB-ACTIVEX Microsoft Repository Interface Definition ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E22710A-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710A-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4907 WEB-ACTIVEX Microsoft Repository Collection Definition ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E22710B-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710B-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4908 WEB-ACTIVEX Microsoft Repository Method Definition ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E22710C-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710C-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4909 WEB-ACTIVEX Microsoft Repository Property Definition ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E22710D-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710D-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4910 WEB-ACTIVEX Microsoft Repository Relationship Definition ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E22710E-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710E-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4911 WEB-ACTIVEX Microsoft Repository Type Library ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6E22710F-F799-11CF-9227-00AA00A1EB95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E22710F-F799-11CF-9227-00AA00A1EB95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4912 WEB-ACTIVEX Microsoft Repository Root ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"B1D4ED44-EE64-11D0-97E6-00C04FC30B4A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1D4ED44-EE64-11D0-97E6-00C04FC30B4A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4913 WEB-ACTIVEX Microsoft Repository Workspace ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"D675E22B-CAE9-11D2-AF7B-00C04F99179F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D675E22B-CAE9-11D2-AF7B-00C04F99179F/si"; metadata:policy security-ips drop; classtype:attempted-user; 4914 WEB-ACTIVEX Microsoft Repository Script Definition ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00021401-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00021401-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4915 WEB-ACTIVEX Shortcut Handler ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx 10514 attempted-user 2004-0549 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"00000566-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; classtype:attempted-user; 4982 WEB-ACTIVEX Adodb.Stream ActiveX Object Access www.microsoft.com/technet/security/bulletin/ms04-025.mspx 10514 attempted-user 2004-0549 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"CreateObject"; nocase; content:"Adodb.stream"; distance:0; fast_pattern; nocase; pcre:"/CreateObject\(\s*\x22Adodb\.stream/smi"; metadata:policy security-ips drop; classtype:attempted-user; 4983 WEB-ACTIVEX Adodb.Stream ActiveX Object Access CreateObject Function www.microsoft.com/technet/security/bulletin/ms04-025.mspx 12481 attempted-admin 2005-0050 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:57674CD0-5200-11CE-A897-08002B2E9C6D; dce_opnum:0; dce_stub_data; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 5485 NETBIOS DCERPC NCACN-IP-TCP llsrpc2 LlsrLicenseRequestW overflow attempt www.microsoft.com/technet/security/bulletin/ms05-010.mspx 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 5677 NETBIOS SMB Session Setup username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 5682 NETBIOS SMB Session Setup unicode andx username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".hhp"; nocase; http_uri; flowbits:set,http.hhp.download; flowbits:noalert; metadata:service http; classtype:misc-activity; 5740 WEB-CLIENT Microsoft HTML help workshop file .hhp download attempt attempted-user 2006-0564 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.hhp.download; content:"["; content:"]"; distance:0; content:"file"; distance:0; nocase; content:"="; distance:0; pcre:"/\x5B(OPTIONS|WINDOWS|MERGE FILES|MAP|ALIAS|TEXT\x20POPUPS|INFOTYPES|SUBSETS)\x5D.*?(Contents|Index|Compiled|Sample List|Full text search stop list)\x20file\s*\x3D[^\r\n]{200}/smi"; metadata:policy security-ips drop; classtype:attempted-user; 5741 WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt www.frsirt.com/english/advisories/2006/0446 attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; classtype:attempted-user; 6002 WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Layout ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD/si"; metadata:policy security-ips drop; classtype:attempted-user; 6003 WEB-ACTIVEX Microsoft DT DDS Rectilinear GDD Route ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"B0406342-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406342-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; classtype:attempted-user; 6004 WEB-ACTIVEX Microsoft DT DDS Circular Auto Layout Logic 2 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"B0406343-B0C5-11d0-89A9-00A0C9054129"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0406343-B0C5-11d0-89A9-00A0C9054129/si"; metadata:policy security-ips drop; classtype:attempted-user; 6005 WEB-ACTIVEX Microsoft DT DDS Straight Line Routing Logic 2 ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"D24D4450-1F01-11D1-8E63-006097D2DF48"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D24D4450-1F01-11D1-8E63-006097D2DF48/si"; metadata:policy security-ips drop; classtype:attempted-user; 6006 WEB-ACTIVEX Microsoft DT Icon Control ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"4CECCEB1-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB1-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; classtype:attempted-user; 6007 WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Layout ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx attempted-user 2006-1186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"4CECCEB2-8359-11D0-A34E-00AA00BDCDFD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4CECCEB2-8359-11D0-A34E-00AA00BDCDFD/si"; metadata:policy security-ips drop; classtype:attempted-user; 6008 WEB-ACTIVEX Microsoft DT DDS OrgChart GDD Route ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-013.mspx 17462 attempted-user 2006-0003 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"BD96C556-65A3-11D0-983A-00C04FC29E36"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD96C556-65A3-11D0-983A-00C04FC29E36/si"; metadata:policy security-ips drop; classtype:attempted-user; 6009 WEB-ACTIVEX RDS.Dataspace ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS06-014.mspx 17905 attempted-admin 2006-1184 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_test:4,>,37,28,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6419 NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid uuid size attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17905 attempted-admin 2006-1184 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; byte_test:4,>,37,28,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6420 NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid uuid size attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17905 attempted-admin 2006-1184 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,37,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6431 NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW invalid second uuid size attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17905 attempted-admin 2006-1184 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,37,0,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6432 NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW invalid second uuid size attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17906 attempted-admin 2006-0034 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6443 NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContextW heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17906 attempted-admin 2006-0034 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:7; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6444 NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17906 attempted-admin 2006-0034 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:1; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6455 NETBIOS DCERPC NCACN-IP-TCP msdtc BuildContext heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx 17906 attempted-admin 2006-0034 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:906B0CE0-C70B-1067-B317-00DD010662DA; dce_opnum:1; dce_stub_data; pcre:"/^.{28}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,<,37,0,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 6456 NETBIOS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-018.mspx attempted-user 2006-2383 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.Light"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.Light\x22|\x27DXImageTransform.Microsoft.Light\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.Light\x22|\x27DXImageTransform.Microsoft.Light\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 6516 WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user 2006-2383 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F9EFBEC2-4302-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9EFBEC2-4302-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; classtype:attempted-user; 6517 WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user 2006-2383 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|9|00|E|00|F|00|B|00|E|00|C|00|2|00|-|00|4|00|3|00|0|00|2|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x00E\x00F\x00B\x00E\x00C\x002\x00-\x004\x003\x000\x002\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 6518 WEB-ACTIVEX DXImageTransform.Microsoft.Light ActiveX CLSID unicode access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.MMSpecialEffect2Inputs"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.MMSpecialEffect2Inputs\x22|\x27DXImageTransform.Microsoft.MMSpecialEffect2Inputs\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.MMSpecialEffect2Inputs\x22|\x27DXImageTransform.Microsoft.MMSpecialEffect2Inputs\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 6682 WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|5|00|3|00|3|00|5|00|9|00|C|00|1|00|-|00|3|00|9|00|E|00|1|00|-|00|4|00|9|00|1|00|b|00|-|00|9|00|9|00|5|00|1|00|-|00|4|00|6|00|4|00|F|00|D|00|8|00|A|00|B|00|0|00|7|00|1|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x005\x003\x003\x005\x009\x00C\x001\x00-\x003\x009\x00E\x001\x00-\x004\x009\x001\x00b\x00-\x009\x009\x005\x001\x00-\x004\x006\x004\x00F\x00D\x008\x00A\x00B\x000\x007\x001\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 6683 WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID unicode access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; metadata:policy security-ips drop; classtype:attempted-user; 6684 WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX CLSID access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|6|00|3|00|3|00|4|00|4|00|D|00|8|00|-|00|7|00|0|00|D|00|3|00|-|00|4|00|0|00|3|00|2|00|-|00|9|00|B|00|3|00|2|00|-|00|7|00|A|00|3|00|C|00|A|00|D|00|5|00|0|00|9|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x003\x003\x004\x004\x00D\x008\x00-\x007\x000\x00D\x003\x00-\x004\x000\x003\x002\x00-\x009\x00B\x003\x002\x00-\x007\x00A\x003\x00C\x00A\x00D\x005\x000\x009\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 6685 WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID unicode access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; metadata:policy security-ips drop; classtype:attempted-user; 6686 WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX CLSID access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.MMSpecialEffect1Input"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.MMSpecialEffect1Input\x22|\x27DXImageTransform.Microsoft.MMSpecialEffect1Input\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.MMSpecialEffect1Input\x22|\x27DXImageTransform.Microsoft.MMSpecialEffect1Input\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 6687 WEB-ACTIVEX DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx 18358 attempted-admin 2006-2371 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; byte_test:4,>,34,68,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 6714 NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences phonebook mode overflow attempt www.microsoft.com/technet/security/bulletin/MS06-025.mspx 18358 attempted-admin 2006-2371 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,258,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 6906 NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences callback number overflow attempt www.microsoft.com/technet/security/bulletin/MS06-025.mspx 20704 attempted-user 2006-5559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ADODB.Recordset"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ADODB.Recordset\x22|\x27ADODB.Recordset\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ADODB.Recordset\x22|\x27ADODB.Recordset\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7003 WEB-ACTIVEX ADODB.Recordset ActiveX function call access osvdb.org/26834 18769 attempted-user 2006-3357 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Internet.HHCtrl.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Internet.HHCtrl.1\x22|\x27Internet.HHCtrl.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Internet.HHCtrl.1\x22|\x27Internet.HHCtrl.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7004 WEB-ACTIVEX Internet.HHCtrl.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/ms06-046.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ASControls.InstallEngineCtl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls.InstallEngineCtl\x22|\x27ASControls.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls.InstallEngineCtl\x22|\x27ASControls.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7006 WEB-ACTIVEX ASControls.InstallEngineCtl ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AxDebugger.Document.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22AxDebugger.Document.1\x22|\x27AxDebugger.Document.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22AxDebugger.Document.1\x22|\x27AxDebugger.Document.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7007 WEB-ACTIVEX AxDebugger.Document.1 ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAUserData"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAUserData\x22|\x27DirectAnimation.DAUserData\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAUserData\x22|\x27DirectAnimation.DAUserData\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7008 WEB-ACTIVEX DirectAnimation.DAUserData ActiveX function call access attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.StructuredGraphicsControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.StructuredGraphicsControl\x22|\x27DirectAnimation.StructuredGraphicsControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.StructuredGraphicsControl\x22|\x27DirectAnimation.StructuredGraphicsControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7009 WEB-ACTIVEX DirectAnimation.StructuredGraphicsControl ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HtmlDlgSafeHelper.HtmlDlgSafeHelper.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22HtmlDlgSafeHelper.HtmlDlgSafeHelper.1\x22|\x27HtmlDlgSafeHelper.HtmlDlgSafeHelper.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22HtmlDlgSafeHelper.HtmlDlgSafeHelper.1\x22|\x27HtmlDlgSafeHelper.HtmlDlgSafeHelper.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7010 WEB-ACTIVEX HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HtmlDlgSafeHelper.HtmlDlgSafeHelper"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22HtmlDlgSafeHelper.HtmlDlgSafeHelper\x22|\x27HtmlDlgSafeHelper.HtmlDlgSafeHelper\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22HtmlDlgSafeHelper.HtmlDlgSafeHelper\x22|\x27HtmlDlgSafeHelper.HtmlDlgSafeHelper\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7011 WEB-ACTIVEX HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Internet.PopupMenu.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Internet.PopupMenu.1\x22|\x27Internet.PopupMenu.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Internet.PopupMenu.1\x22|\x27Internet.PopupMenu.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7012 WEB-ACTIVEX Internet.PopupMenu.1 ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Microsoft.ISCatAdm"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Microsoft.ISCatAdm\x22|\x27Microsoft.ISCatAdm\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Microsoft.ISCatAdm\x22|\x27Microsoft.ISCatAdm\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7013 WEB-ACTIVEX Microsoft.ISCatAdm ActiveX function call access 19114 attempted-dos 2006-3897 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NMSA.ASFSourceMediaDescription.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22NMSA.ASFSourceMediaDescription.1\x22|\x27NMSA.ASFSourceMediaDescription.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22NMSA.ASFSourceMediaDescription.1\x22|\x27NMSA.ASFSourceMediaDescription.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-dos; 7014 WEB-ACTIVEX NMSA.ASFSourceMediaDescription.1 ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NMSA.MediaDescription"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22NMSA.MediaDescription\x22|\x27NMSA.MediaDescription\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22NMSA.MediaDescription\x22|\x27NMSA.MediaDescription\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7015 WEB-ACTIVEX NMSA.MediaDescription ActiveX function call access 18903 attempted-dos 2006-3512 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Object.Microsoft.DXTFilter"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Object.Microsoft.DXTFilter\x22|\x27Object.Microsoft.DXTFilter\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Object.Microsoft.DXTFilter\x22|\x27Object.Microsoft.DXTFilter\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-dos; 7016 WEB-ACTIVEX Object.Microsoft.DXTFilter ActiveX function call access 18900 attempted-user 2006-3510 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RDS.DataControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22RDS.DataControl\x22|\x27RDS.DataControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22RDS.DataControl\x22|\x27RDS.DataControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7017 WEB-ACTIVEX RDS.DataControl ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Sysmon"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Sysmon\x22|\x27Sysmon\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Sysmon\x22|\x27Sysmon\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7018 WEB-ACTIVEX Sysmon ActiveX function call access 17462 attempted-user 2006-0003 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RDS.DataSpace"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22RDS.DataSpace\x22|\x27RDS.DataSpace\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22RDS.DataSpace\x22|\x27RDS.DataSpace\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7026 WEB-ACTIVEX RDS.Dataspace ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-014.mspx 18864 protocol-command-decode 2006-3942 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 7035 NETBIOS SMB Trans mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 18864 protocol-command-decode 2006-3942 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 7036 NETBIOS SMB Trans unicode mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 18864 protocol-command-decode 2006-3942 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy security-ips drop; classtype:protocol-command-decode; 7039 NETBIOS SMB Trans andx mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 18864 protocol-command-decode 2006-3942 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:policy security-ips drop; classtype:protocol-command-decode; 7040 NETBIOS SMB Trans unicode andx mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 18864 protocol-command-decode 2006-3942 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:protocol-command-decode; 7041 NETBIOS-DG SMB Trans andx mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 19409 attempted-admin 2006-3439 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 7209 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt www.microsoft.com/technet/security/bulletin/MS06-040.mspx 19409 attempted-admin 2006-3439 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; content:"|04 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 7210 NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrPathCanonicalize overflow attempt www.microsoft.com/technet/security/bulletin/MS06-040.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; metadata:policy security-ips drop; classtype:attempted-user; 7425 WEB-ACTIVEX 9x8Resize ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|C|00|0|00|D|00|6|00|9|00|A|00|8|00|-|00|0|00|9|00|2|00|3|00|-|00|4|00|E|00|E|00|E|00|-|00|9|00|3|00|7|00|5|00|-|00|9|00|2|00|3|00|9|00|F|00|5|00|A|00|3|00|8|00|B|00|9|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00C\x000\x00D\x006\x009\x00A\x008\x00-\x000\x009\x002\x003\x00-\x004\x00E\x00E\x00E\x00-\x009\x003\x007\x005\x00-\x009\x002\x003\x009\x00F\x005\x00A\x003\x008\x00B\x009\x002\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7426 WEB-ACTIVEX 9x8Resize ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; metadata:policy security-ips drop; classtype:attempted-user; 7427 WEB-ACTIVEX Allocator Fix ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|0|00|D|00|0|00|7|00|6|00|C|00|5|00|-|00|E|00|4|00|C|00|6|00|-|00|4|00|5|00|6|00|1|00|-|00|8|00|B|00|F|00|4|00|-|00|8|00|0|00|D|00|A|00|8|00|D|00|B|00|8|00|1|00|9|00|D|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x000\x00D\x000\x007\x006\x00C\x005\x00-\x00E\x004\x00C\x006\x00-\x004\x005\x006\x001\x00-\x008\x00B\x00F\x004\x00-\x008\x000\x00D\x00A\x008\x00D\x00B\x008\x001\x009\x00D\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7428 WEB-ACTIVEX Allocator Fix ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; metadata:policy security-ips drop; classtype:attempted-user; 7429 WEB-ACTIVEX Bitmap ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|F|00|3|00|E|00|5|00|0|00|B|00|D|00|-|00|A|00|9|00|D|00|7|00|-|00|4|00|7|00|2|00|1|00|-|00|B|00|0|00|E|00|1|00|-|00|0|00|0|00|C|00|B|00|4|00|2|00|A|00|0|00|A|00|7|00|4|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x003\x00E\x005\x000\x00B\x00D\x00-\x00A\x009\x00D\x007\x00-\x004\x007\x002\x001\x00-\x00B\x000\x00E\x001\x00-\x000\x000\x00C\x00B\x004\x002\x00A\x000\x00A\x007\x004\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7430 WEB-ACTIVEX Bitmap ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; metadata:policy security-ips drop; classtype:attempted-user; 7431 WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|9|00|A|00|2|00|C|00|2|00|A|00|6|00|-|00|4|00|7|00|7|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|B|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x009\x00A\x002\x00C\x002\x00A\x006\x00-\x004\x007\x007\x008\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x00B\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7432 WEB-ACTIVEX DirectFrame.DirectControl.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; metadata:policy security-ips drop; classtype:attempted-user; 7433 WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|B|00|5|00|4|00|4|00|C|00|2|00|4|00|-|00|F|00|D|00|0|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|6|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|4|00|B|00|5|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x005\x004\x004\x00C\x002\x004\x00-\x00F\x00D\x000\x00B\x00-\x001\x001\x00C\x00E\x00-\x008\x00C\x006\x003\x00-\x000\x000\x00A\x00A\x000\x000\x004\x004\x00B\x005\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7434 WEB-ACTIVEX DirectX Transform Wrapper Property Page ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 7435 WEB-ACTIVEX Dynamic Casts ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DATuple"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 7436 WEB-ACTIVEX Dynamic Casts ActiveX function call www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; metadata:policy security-ips drop; classtype:attempted-user; 7437 WEB-ACTIVEX Frame Eater ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|C|00|6|00|8|00|9|00|5|00|5|00|E|00|-|00|F|00|9|00|6|00|5|00|-|00|4|00|2|00|4|00|9|00|-|00|8|00|E|00|1|00|8|00|-|00|F|00|0|00|9|00|7|00|7|00|B|00|1|00|D|00|2|00|8|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00C\x006\x008\x009\x005\x005\x00E\x00-\x00F\x009\x006\x005\x00-\x004\x002\x004\x009\x00-\x008\x00E\x001\x008\x00-\x00F\x000\x009\x007\x007\x00B\x001\x00D\x002\x008\x009\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7438 WEB-ACTIVEX Frame Eater ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2007-0214 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"52A2AAAE-085D-4187-97EA-8C30DB990436"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*52A2AAAE-085D-4187-97EA-8C30DB990436\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 7439 WEB-ACTIVEX HTML Help ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-008.mspx attempted-user 2007-0214 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|2|00|A|00|2|00|A|00|A|00|A|00|E|00|-|00|0|00|8|00|5|00|D|00|-|00|4|00|1|00|8|00|7|00|-|00|9|00|7|00|E|00|A|00|-|00|8|00|C|00|3|00|0|00|D|00|B|00|9|00|9|00|0|00|4|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x002\x00A\x002\x00A\x00A\x00A\x00E\x00-\x000\x008\x005\x00D\x00-\x004\x001\x008\x007\x00-\x009\x007\x00E\x00A\x00-\x008\x00C\x003\x000\x00D\x00B\x009\x009\x000\x004\x003\x006\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 7440 WEB-ACTIVEX HTML Help ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-008.mspx 13953 attempted-user 2005-1208 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|B|00|2|00|3|00|C|00|2|00|8|00|-|00|4|00|8|00|8|00|E|00|-|00|4|00|e|00|5|00|C|00|-|00|A|00|C|00|E|00|2|00|-|00|B|00|B|00|0|00|B|00|B|00|A|00|B|00|E|00|9|00|9|00|E|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00B\x002\x003\x00C\x002\x008\x00-\x004\x008\x008\x00E\x00-\x004\x00e\x005\x00C\x00-\x00A\x00C\x00E\x002\x00-\x00B\x00B\x000\x00B\x00B\x00A\x00B\x00E\x009\x009\x00E\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7441 WEB-ACTIVEX HTML Help ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS05-026.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; metadata:policy security-ips drop; classtype:attempted-user; 7442 WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|8|00|C|00|3|00|1|00|D|00|1|00|1|00|-|00|6|00|F|00|D|00|2|00|-|00|4|00|6|00|5|00|9|00|-|00|A|00|D|00|7|00|5|00|-|00|1|00|5|00|5|00|F|00|A|00|1|00|4|00|3|00|F|00|4|00|2|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x003\x001\x00D\x001\x001\x00-\x006\x00F\x00D\x002\x00-\x004\x006\x005\x009\x00-\x00A\x00D\x007\x005\x00-\x001\x005\x005\x00F\x00A\x001\x004\x003\x00F\x004\x002\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7443 WEB-ACTIVEX mmAEPlugIn.AEPlugIn.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; metadata:policy security-ips drop; classtype:attempted-user; 7444 WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|D|00|A|00|2|00|A|00|A|00|3|00|E|00|-|00|3|00|D|00|9|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|B|00|D|00|2|00|-|00|2|00|0|00|4|00|C|00|4|00|F|00|4|00|F|00|5|00|0|00|2|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00D\x00A\x002\x00A\x00A\x003\x00E\x00-\x003\x00D\x009\x006\x00-\x001\x001\x00D\x002\x00-\x009\x00B\x00D\x002\x00-\x002\x000\x004\x00C\x004\x00F\x004\x00F\x005\x000\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7445 WEB-ACTIVEX Mmedia.AsyncMHandler.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; metadata:policy security-ips drop; classtype:attempted-user; 7446 WEB-ACTIVEX Record Queue ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|B|00|4|00|B|00|0|00|5|00|E|00|B|00|-|00|1|00|F|00|6|00|3|00|-|00|4|00|4|00|6|00|B|00|-|00|A|00|A|00|D|00|1|00|-|00|E|00|1|00|0|00|A|00|3|00|4|00|D|00|6|00|5|00|0|00|E|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00B\x004\x00B\x000\x005\x00E\x00B\x00-\x001\x00F\x006\x003\x00-\x004\x004\x006\x00B\x00-\x00A\x00A\x00D\x001\x00-\x00E\x001\x000\x00A\x003\x004\x00D\x006\x005\x000\x00E\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7447 WEB-ACTIVEX Record Queue ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; metadata:policy security-ips drop; classtype:attempted-user; 7448 WEB-ACTIVEX ShotDetect ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|F|00|B|00|1|00|F|00|C|00|7|00|-|00|2|00|7|00|0|00|D|00|-|00|4|00|9|00|8|00|6|00|-|00|B|00|2|00|9|00|9|00|-|00|F|00|E|00|C|00|F|00|3|00|F|00|0|00|E|00|4|00|2|00|D|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00F\x00B\x001\x00F\x00C\x007\x00-\x002\x007\x000\x00D\x00-\x004\x009\x008\x006\x00-\x00B\x002\x009\x009\x00-\x00F\x00E\x00C\x00F\x003\x00F\x000\x00E\x004\x002\x00D\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7449 WEB-ACTIVEX ShotDetect ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; metadata:policy security-ips drop; classtype:attempted-user; 7450 WEB-ACTIVEX Stetch ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|4|00|4|00|B|00|B|00|2|00|D|00|0|00|-|00|F|00|0|00|7|00|0|00|-|00|4|00|6|00|3|00|E|00|-|00|9|00|4|00|3|00|3|00|-|00|B|00|0|00|C|00|C|00|F|00|3|00|C|00|F|00|D|00|6|00|2|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x004\x004\x00B\x00B\x002\x00D\x000\x00-\x00F\x000\x007\x000\x00-\x004\x006\x003\x00E\x00-\x009\x004\x003\x003\x00-\x00B\x000\x00C\x00C\x00F\x003\x00C\x00F\x00D\x006\x002\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7451 WEB-ACTIVEX Stetch ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; metadata:policy security-ips drop; classtype:attempted-user; 7452 WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|C|00|4|00|5|00|B|00|0|00|B|00|0|00|-|00|7|00|2|00|D|00|8|00|-|00|4|00|6|00|5|00|2|00|-|00|A|00|E|00|5|00|F|00|-|00|5|00|E|00|3|00|E|00|2|00|6|00|6|00|B|00|E|00|7|00|E|00|D|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x004\x005\x00B\x000\x00B\x000\x00-\x007\x002\x00D\x008\x00-\x004\x006\x005\x002\x00-\x00A\x00E\x005\x00F\x00-\x005\x00E\x003\x00E\x002\x006\x006\x00B\x00E\x007\x00E\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7453 WEB-ACTIVEX WM Color Converter Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; metadata:policy security-ips drop; classtype:attempted-user; 7454 WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|C|00|7|00|9|00|5|00|9|00|1|00|-|00|D|00|0|00|D|00|E|00|-|00|4|00|9|00|C|00|4|00|-|00|B|00|A|00|3|00|C|00|-|00|A|00|4|00|5|00|A|00|B|00|7|00|0|00|0|00|3|00|3|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x004\x00C\x007\x009\x005\x009\x001\x00-\x00D\x000\x00D\x00E\x00-\x004\x009\x00C\x004\x00-\x00B\x00A\x003\x00C\x00-\x00A\x004\x005\x00A\x00B\x007\x000\x000\x003\x003\x005\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7455 WEB-ACTIVEX Wmm2ae.dll ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; metadata:policy security-ips drop; classtype:attempted-user; 7456 WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|2|00|D|00|4|00|5|00|2|00|9|00|E|00|-|00|8|00|4|00|E|00|0|00|-|00|4|00|5|00|5|00|0|00|-|00|A|00|2|00|E|00|0|00|-|00|C|00|2|00|5|00|D|00|7|00|C|00|5|00|C|00|C|00|0|00|D|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00D\x004\x005\x002\x009\x00E\x00-\x008\x004\x00E\x000\x00-\x004\x005\x005\x000\x00-\x00A\x002\x00E\x000\x00-\x00C\x002\x005\x00D\x007\x00C\x005\x00C\x00C\x000\x00D\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7457 WEB-ACTIVEX Wmm2fxa.dll ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; metadata:policy security-ips drop; classtype:attempted-user; 7458 WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|7|00|4|00|C|00|A|00|7|00|0|00|F|00|-|00|2|00|2|00|3|00|6|00|-|00|4|00|B|00|A|00|8|00|-|00|A|00|2|00|9|00|7|00|-|00|4|00|B|00|2|00|A|00|2|00|8|00|C|00|2|00|3|00|6|00|3|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x004\x00C\x00A\x007\x000\x00F\x00-\x002\x002\x003\x006\x00-\x004\x00B\x00A\x008\x00-\x00A\x002\x009\x007\x00-\x004\x00B\x002\x00A\x002\x008\x00C\x002\x003\x006\x003\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7459 WEB-ACTIVEX Wmm2fxb.dll ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; metadata:policy security-ips drop; classtype:attempted-user; 7460 WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|C|00|B|00|1|00|6|00|2|00|3|00|E|00|-|00|B|00|B|00|E|00|C|00|-|00|4|00|E|00|8|00|D|00|-|00|B|00|2|00|D|00|F|00|-|00|D|00|C|00|0|00|8|00|C|00|6|00|F|00|4|00|6|00|2|00|7|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00C\x00B\x001\x006\x002\x003\x00E\x00-\x00B\x00B\x00E\x00C\x00-\x004\x00E\x008\x00D\x00-\x00B\x002\x00D\x00F\x00-\x00D\x00C\x000\x008\x00C\x006\x00F\x004\x006\x002\x007\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7461 WEB-ACTIVEX WMT Audio Analyzer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; metadata:policy security-ips drop; classtype:attempted-user; 7462 WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|E|00|A|00|1|00|0|00|0|00|3|00|1|00|-|00|0|00|0|00|3|00|3|00|-|00|4|00|5|00|0|00|E|00|-|00|8|00|0|00|7|00|2|00|-|00|E|00|2|00|7|00|D|00|9|00|E|00|7|00|6|00|8|00|1|00|4|00|2|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00E\x00A\x001\x000\x000\x003\x001\x00-\x000\x000\x003\x003\x00-\x004\x005\x000\x00E\x00-\x008\x000\x007\x002\x00-\x00E\x002\x007\x00D\x009\x00E\x007\x006\x008\x001\x004\x002\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7463 WEB-ACTIVEX WMT Black Frame Generator ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; metadata:policy security-ips drop; classtype:attempted-user; 7464 WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|8|00|F|00|2|00|0|00|9|00|F|00|8|00|-|00|4|00|8|00|0|00|E|00|-|00|4|00|5|00|4|00|C|00|-|00|9|00|4|00|A|00|4|00|-|00|5|00|3|00|9|00|2|00|D|00|8|00|8|00|E|00|B|00|A|00|0|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x008\x00F\x002\x000\x009\x00F\x008\x00-\x004\x008\x000\x00E\x00-\x004\x005\x004\x00C\x00-\x009\x004\x00A\x004\x00-\x005\x003\x009\x002\x00D\x008\x008\x00E\x00B\x00A\x000\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7465 WEB-ACTIVEX WMT DeInterlace Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; metadata:policy security-ips drop; classtype:attempted-user; 7466 WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|2|00|E|00|D|00|A|00|8|00|9|00|A|00|-|00|0|00|9|00|6|00|6|00|-|00|4|00|B|00|9|00|1|00|-|00|9|00|C|00|1|00|8|00|-|00|A|00|B|00|6|00|9|00|F|00|0|00|9|00|8|00|1|00|8|00|7|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x002\x00E\x00D\x00A\x008\x009\x00A\x00-\x000\x009\x006\x006\x00-\x004\x00B\x009\x001\x00-\x009\x00C\x001\x008\x00-\x00A\x00B\x006\x009\x00F\x000\x009\x008\x001\x008\x007\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7467 WEB-ACTIVEX WMT DeInterlace Prop Page ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; metadata:policy security-ips drop; classtype:attempted-user; 7468 WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|E|00|C|00|F|00|5|00|D|00|2|00|E|00|-|00|7|00|A|00|1|00|8|00|-|00|4|00|D|00|D|00|2|00|-|00|B|00|D|00|C|00|D|00|-|00|2|00|9|00|B|00|6|00|F|00|6|00|1|00|5|00|B|00|4|00|4|00|8|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00E\x00C\x00F\x005\x00D\x002\x00E\x00-\x007\x00A\x001\x008\x00-\x004\x00D\x00D\x002\x00-\x00B\x00D\x00C\x00D\x00-\x002\x009\x00B\x006\x00F\x006\x001\x005\x00B\x004\x004\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7469 WEB-ACTIVEX WMT DirectX Transform Wrapper ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; metadata:policy security-ips drop; classtype:attempted-user; 7470 WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|4|00|7|00|6|00|C|00|B|00|F|00|F|00|-|00|E|00|2|00|2|00|9|00|-|00|4|00|5|00|2|00|4|00|-|00|B|00|6|00|B|00|7|00|-|00|2|00|2|00|8|00|A|00|3|00|1|00|2|00|9|00|D|00|1|00|C|00|7|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x004\x007\x006\x00C\x00B\x00F\x00F\x00-\x00E\x002\x002\x009\x00-\x004\x005\x002\x004\x00-\x00B\x006\x00B\x007\x00-\x002\x002\x008\x00A\x003\x001\x002\x009\x00D\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7471 WEB-ACTIVEX WMT DV Extract Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; metadata:policy security-ips drop; classtype:attempted-user; 7472 WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|1|00|8|00|8|00|F|00|7|00|A|00|3|00|-|00|A|00|0|00|4|00|E|00|-|00|4|00|1|00|3|00|E|00|-|00|9|00|9|00|D|00|1|00|-|00|D|00|7|00|9|00|A|00|4|00|5|00|F|00|7|00|0|00|3|00|0|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x001\x008\x008\x00F\x007\x00A\x003\x00-\x00A\x000\x004\x00E\x00-\x004\x001\x003\x00E\x00-\x009\x009\x00D\x001\x00-\x00D\x007\x009\x00A\x004\x005\x00F\x007\x000\x003\x000\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7473 WEB-ACTIVEX WMT FormatConversion Prop Page ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; metadata:policy security-ips drop; classtype:attempted-user; 7474 WEB-ACTIVEX WMT FormatConversion ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|D|00|2|00|0|00|D|00|4|00|B|00|B|00|-|00|B|00|4|00|7|00|E|00|-|00|4|00|F|00|B|00|7|00|-|00|8|00|3|00|B|00|D|00|-|00|E|00|3|00|C|00|2|00|E|00|E|00|2|00|5|00|0|00|D|00|2|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00D\x002\x000\x00D\x004\x00B\x00B\x00-\x00B\x004\x007\x00E\x00-\x004\x00F\x00B\x007\x00-\x008\x003\x00B\x00D\x00-\x00E\x003\x00C\x002\x00E\x00E\x002\x005\x000\x00D\x002\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7475 WEB-ACTIVEX WMT FormatConversion ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; metadata:policy security-ips drop; classtype:attempted-user; 7476 WEB-ACTIVEX WMT Import Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|D|00|4|00|C|00|9|00|F|00|E|00|F|00|-|00|E|00|D|00|8|00|0|00|-|00|4|00|7|00|E|00|A|00|-|00|A|00|3|00|F|00|A|00|-|00|3|00|2|00|1|00|5|00|F|00|D|00|B|00|B|00|3|00|3|00|A|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00D\x004\x00C\x009\x00F\x00E\x00F\x00-\x00E\x00D\x008\x000\x00-\x004\x007\x00E\x00A\x00-\x00A\x003\x00F\x00A\x00-\x003\x002\x001\x005\x00F\x00D\x00B\x00B\x003\x003\x00A\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7477 WEB-ACTIVEX WMT Import Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; metadata:policy security-ips drop; classtype:attempted-user; 7478 WEB-ACTIVEX WMT Interlacer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|6|00|C|00|B|00|1|00|F|00|E|00|3|00|-|00|B|00|0|00|5|00|E|00|-|00|4|00|F|00|0|00|E|00|-|00|8|00|1|00|8|00|F|00|-|00|C|00|8|00|3|00|E|00|D|00|5|00|A|00|0|00|3|00|3|00|2|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x006\x00C\x00B\x001\x00F\x00E\x003\x00-\x00B\x000\x005\x00E\x00-\x004\x00F\x000\x00E\x00-\x008\x001\x008\x00F\x00-\x00C\x008\x003\x00E\x00D\x005\x00A\x000\x003\x003\x002\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7479 WEB-ACTIVEX WMT Interlacer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; metadata:policy security-ips drop; classtype:attempted-user; 7480 WEB-ACTIVEX WMT Log Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|2|00|8|00|8|00|3|00|6|00|6|00|7|00|-|00|E|00|9|00|5|00|C|00|-|00|4|00|4|00|3|00|D|00|-|00|A|00|C|00|9|00|6|00|-|00|4|00|C|00|A|00|C|00|A|00|2|00|7|00|B|00|E|00|B|00|6|00|E|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x002\x008\x008\x003\x006\x006\x007\x00-\x00E\x009\x005\x00C\x00-\x004\x004\x003\x00D\x00-\x00A\x00C\x009\x006\x00-\x004\x00C\x00A\x00C\x00A\x002\x007\x00B\x00E\x00B\x006\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7481 WEB-ACTIVEX WMT Log Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; metadata:policy security-ips drop; classtype:attempted-user; 7482 WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|1|00|0|00|0|00|2|00|B|00|1|00|7|00|-|00|5|00|D|00|9|00|3|00|-|00|4|00|5|00|5|00|1|00|-|00|8|00|1|00|E|00|4|00|-|00|8|00|3|00|1|00|F|00|E|00|F|00|7|00|8|00|0|00|A|00|5|00|3|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x000\x000\x002\x00B\x001\x007\x00-\x005\x00D\x009\x003\x00-\x004\x005\x005\x001\x00-\x008\x001\x00E\x004\x00-\x008\x003\x001\x00F\x00E\x00F\x007\x008\x000\x00A\x005\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7483 WEB-ACTIVEX WMT MuxDeMux Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; metadata:policy security-ips drop; classtype:attempted-user; 7484 WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|F|00|1|00|2|00|3|00|2|00|E|00|E|00|-|00|4|00|4|00|D|00|7|00|-|00|4|00|4|00|9|00|4|00|-|00|A|00|B|00|8|00|B|00|-|00|C|00|C|00|6|00|1|00|B|00|1|00|0|00|E|00|2|00|1|00|A|00|5|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x001\x002\x003\x002\x00E\x00E\x00-\x004\x004\x00D\x007\x00-\x004\x004\x009\x004\x00-\x00A\x00B\x008\x00B\x00-\x00C\x00C\x006\x001\x00B\x001\x000\x00E\x002\x001\x00A\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7485 WEB-ACTIVEX WMT Sample Info Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; metadata:policy security-ips drop; classtype:attempted-user; 7486 WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|9|00|E|00|1|00|3|00|2|00|F|00|-|00|5|00|6|00|1|00|B|00|-|00|4|00|2|00|F|00|8|00|-|00|8|00|4|00|6|00|C|00|-|00|A|00|7|00|0|00|D|00|B|00|D|00|C|00|6|00|2|00|9|00|9|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x009\x00E\x001\x003\x002\x00F\x00-\x005\x006\x001\x00B\x00-\x004\x002\x00F\x008\x00-\x008\x004\x006\x00C\x00-\x00A\x007\x000\x00D\x00B\x00D\x00C\x006\x002\x009\x009\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7487 WEB-ACTIVEX WMT Screen Capture Filter Task Page ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; metadata:policy security-ips drop; classtype:attempted-user; 7488 WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|1|00|0|00|8|00|7|00|2|00|7|00|0|00|-|00|D|00|3|00|4|00|8|00|-|00|4|00|3|00|2|00|C|00|-|00|8|00|9|00|9|00|E|00|-|00|2|00|D|00|2|00|F|00|3|00|8|00|F|00|F|00|2|00|9|00|A|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x001\x000\x008\x007\x002\x007\x000\x00-\x00D\x003\x004\x008\x00-\x004\x003\x002\x00C\x00-\x008\x009\x009\x00E\x00-\x002\x00D\x002\x00F\x003\x008\x00F\x00F\x002\x009\x00A\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7489 WEB-ACTIVEX WMT Screen capture Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; metadata:policy security-ips drop; classtype:attempted-user; 7490 WEB-ACTIVEX WMT Switch Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|F|00|1|00|0|00|5|00|B|00|C|00|3|00|-|00|C|00|0|00|6|00|4|00|-|00|4|00|5|00|F|00|1|00|-|00|A|00|D|00|5|00|3|00|-|00|6|00|D|00|8|00|A|00|8|00|5|00|7|00|8|00|D|00|0|00|1|00|B|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x001\x000\x005\x00B\x00C\x003\x00-\x00C\x000\x006\x004\x00-\x004\x005\x00F\x001\x00-\x00A\x00D\x005\x003\x00-\x006\x00D\x008\x00A\x008\x005\x007\x008\x00D\x000\x001\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7491 WEB-ACTIVEX WMT Switch Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; metadata:policy security-ips drop; classtype:attempted-user; 7492 WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|3|00|0|00|F|00|D|00|0|00|2|00|C|00|-|00|B|00|B|00|E|00|7|00|-|00|4|00|E|00|B|00|9|00|-|00|9|00|1|00|C|00|F|00|-|00|F|00|C|00|4|00|5|00|C|00|C|00|9|00|1|00|E|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x003\x000\x00F\x00D\x000\x002\x00C\x00-\x00B\x00B\x00E\x007\x00-\x004\x00E\x00B\x009\x00-\x009\x001\x00C\x00F\x00-\x00F\x00C\x004\x005\x00C\x00C\x009\x001\x00E\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7493 WEB-ACTIVEX WMT Virtual Renderer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; metadata:policy security-ips drop; classtype:attempted-user; 7494 WEB-ACTIVEX WMT Virtual Source ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|4|00|C|00|6|00|5|00|C|00|7|00|-|00|F|00|D|00|F|00|1|00|-|00|4|00|5|00|3|00|D|00|-|00|8|00|9|00|A|00|5|00|-|00|B|00|C|00|C|00|2|00|8|00|F|00|5|00|D|00|6|00|9|00|F|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x004\x00C\x006\x005\x00C\x007\x00-\x00F\x00D\x00F\x001\x00-\x004\x005\x003\x00D\x00-\x008\x009\x00A\x005\x00-\x00B\x00C\x00C\x002\x008\x00F\x005\x00D\x006\x009\x00F\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7495 WEB-ACTIVEX WMT Virtual Source ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; metadata:policy security-ips drop; classtype:attempted-user; 7496 WEB-ACTIVEX WMT Volume ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|F|00|E|00|E|00|4|00|3|00|D|00|6|00|-|00|B|00|F|00|E|00|5|00|-|00|4|00|4|00|B|00|0|00|-|00|8|00|0|00|6|00|3|00|-|00|A|00|C|00|3|00|B|00|2|00|9|00|6|00|6|00|A|00|B|00|2|00|C|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00F\x00E\x00E\x004\x003\x00D\x006\x00-\x00B\x00F\x00E\x005\x00-\x004\x004\x00B\x000\x00-\x008\x000\x006\x003\x00-\x00A\x00C\x003\x00B\x002\x009\x006\x006\x00A\x00B\x002\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7497 WEB-ACTIVEX WMT Volume ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; metadata:policy security-ips drop; classtype:attempted-user; 7498 WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|D|00|2|00|B|00|8|00|4|00|1|00|-|00|7|00|6|00|9|00|2|00|-|00|4|00|C|00|8|00|3|00|-|00|A|00|F|00|D|00|3|00|-|00|F|00|6|00|0|00|E|00|8|00|4|00|5|00|3|00|4|00|1|00|A|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x001\x00D\x002\x00B\x008\x004\x001\x00-\x007\x006\x009\x002\x00-\x004\x00C\x008\x003\x00-\x00A\x00F\x00D\x003\x00-\x00F\x006\x000\x00E\x008\x004\x005\x003\x004\x001\x00A\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7499 WEB-ACTIVEX WM TV Out Smooth Picture Filter ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; metadata:policy security-ips drop; classtype:attempted-user; 7500 WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-042.mspx attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|8|00|6|00|F|00|B|00|4|00|8|00|6|00|-|00|5|00|5|00|6|00|0|00|-|00|4|00|F|00|F|00|3|00|-|00|9|00|6|00|D|00|F|00|-|00|1|00|1|00|1|00|8|00|C|00|9|00|6|00|A|00|F|00|4|00|5|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x008\x006\x00F\x00B\x004\x008\x006\x00-\x005\x005\x006\x000\x00-\x004\x00F\x00F\x003\x00-\x009\x006\x00D\x00F\x00-\x001\x001\x001\x008\x00C\x009\x006\x00A\x00F\x004\x005\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7501 WEB-ACTIVEX WM VIH2 Fix ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-042.mspx 19570 attempted-user 2006-4219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7502 WEB-ACTIVEX tsuserex.ADsTSUserEx.1 ActiveX clsid access www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 19570 attempted-user 2006-4219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|2|00|E|00|9|00|C|00|A|00|E|00|6|00|-|00|1|00|E|00|7|00|B|00|-|00|4|00|B|00|8|00|E|00|-|00|B|00|A|00|B|00|D|00|-|00|E|00|9|00|B|00|F|00|6|00|2|00|9|00|2|00|A|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x002\x00E\x009\x00C\x00A\x00E\x006\x00-\x001\x00E\x007\x00B\x00-\x004\x00B\x008\x00E\x00-\x00B\x00A\x00B\x00D\x00-\x00E\x009\x00B\x00F\x006\x002\x009\x002\x00A\x00C\x002\x009\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7503 WEB-ACTIVEX tsuserex.ADsTSUserEx.1 ActiveX clsid unicode access www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/url_sp2.asp"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*vb\s+wininet/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7856 SPYWARE-PUT Trackware winsysba-a runtime detection - track surfing activity secunia.com/virus_information/26844/winsysba-a/ 19265 attempted-user 2006-3961 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IsAppExpired"; fast_pattern:only; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22IsAppExpired\x22|\x27IsAppExpired\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22IsAppExpired\x22|\x27IsAppExpired\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7862 WEB-ACTIVEX McSubMgr.IsAppExpired ActiveX function call access 19265 attempted-user 2006-3961 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IsOldAppInstalled"; fast_pattern:only; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22IsOldAppInstalled\x22|\x27IsOldAppInstalled\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22IsOldAppInstalled\x22|\x27IsOldAppInstalled\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7863 WEB-ACTIVEX McSubMgr.IsOldAppInstalled ActiveX function call access 19265 attempted-user 2006-3961 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9be8d7b2-329c-442a-a4ac-aba9d7572602"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9be8d7b2-329c-442a-a4ac-aba9d7572602/si"; metadata:policy security-ips drop; classtype:attempted-user; 7864 WEB-ACTIVEX McSubMgr ActiveX CLSID access 19265 attempted-user 2006-3961 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|b|00|e|00|8|00|d|00|7|00|b|00|2|00|-|00|3|00|2|00|9|00|c|00|-|00|4|00|4|00|2|00|a|00|-|00|a|00|4|00|a|00|c|00|-|00|a|00|b|00|a|00|9|00|d|00|7|00|5|00|7|00|2|00|6|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00b\x00e\x008\x00d\x007\x00b\x002\x00-\x003\x002\x009\x00c\x00-\x004\x004\x002\x00a\x00-\x00a\x004\x00a\x00c\x00-\x00a\x00b\x00a\x009\x00d\x007\x005\x007\x002\x006\x000\x002\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7865 WEB-ACTIVEX McSubMgr ActiveX CLSID unicode access attempted-user 2006-5559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00000514-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*00000514-0000-0010-8000-00AA006D2EA4\s*}?\4.*\3\.(Execute)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00000514-0000-0010-8000-00AA006D2EA4\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(Execute)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 7866 WEB-ACTIVEX ADODB.Connection ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-009.mspx attempted-user 2006-5559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|1|00|4|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x001\x004\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 7867 WEB-ACTIVEX ADODB.Connection ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-009.mspx 20704 attempted-user 2006-5559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00000535-0000-0010-8000-00AA006D2EA4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000535-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; classtype:attempted-user; 7868 WEB-ACTIVEX ADODB.Recordset ActiveX CLSID access 20704 attempted-user 2006-5559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|3|00|5|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x003\x005\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7869 WEB-ACTIVEX ADODB.Recordset ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"03F998B2-0E00-11D3-A498-00104B6EB52E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03F998B2-0E00-11D3-A498-00104B6EB52E/si"; metadata:policy security-ips drop; classtype:attempted-user; 7878 WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID access vil.nai.com/vil/content/v_137262.htm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|3|00|F|00|9|00|9|00|8|00|B|00|2|00|-|00|0|00|E|00|0|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|A|00|4|00|9|00|8|00|-|00|0|00|0|00|1|00|0|00|4|00|B|00|6|00|E|00|B|00|5|00|2|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x003\x00F\x009\x009\x008\x00B\x002\x00-\x000\x00E\x000\x000\x00-\x001\x001\x00D\x003\x00-\x00A\x004\x009\x008\x00-\x000\x000\x001\x000\x004\x00B\x006\x00E\x00B\x005\x002\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7879 WEB-ACTIVEX AxMetaStream.MetaStreamCtl ActiveX CLSID unicode access vil.nai.com/vil/content/v_137262.htm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1B00725B-C455-4DE6-BFB6-AD540AD427CD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B00725B-C455-4DE6-BFB6-AD540AD427CD/si"; metadata:policy security-ips drop; classtype:attempted-user; 7880 WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|B|00|0|00|0|00|7|00|2|00|5|00|B|00|-|00|C|00|4|00|5|00|5|00|-|00|4|00|D|00|E|00|6|00|-|00|B|00|F|00|B|00|6|00|-|00|A|00|D|00|5|00|4|00|0|00|A|00|D|00|4|00|2|00|7|00|C|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x00B\x000\x000\x007\x002\x005\x00B\x00-\x00C\x004\x005\x005\x00-\x004\x00D\x00E\x006\x00-\x00B\x00F\x00B\x006\x00-\x00A\x00D\x005\x004\x000\x00A\x00D\x004\x002\x007\x00C\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7881 WEB-ACTIVEX AxMetaStream.MetaStreamCtlSecondary ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"68A499C7-F9B0-11D2-93D4-00A0C981B035"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68A499C7-F9B0-11D2-93D4-00A0C981B035/si"; metadata:policy security-ips drop; classtype:attempted-user; 7882 WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|8|00|A|00|4|00|9|00|9|00|C|00|7|00|-|00|F|00|9|00|B|00|0|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|D|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|8|00|1|00|B|00|0|00|3|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x008\x00A\x004\x009\x009\x00C\x007\x00-\x00F\x009\x00B\x000\x00-\x001\x001\x00D\x002\x00-\x009\x003\x00D\x004\x00-\x000\x000\x00A\x000\x00C\x009\x008\x001\x00B\x000\x003\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7883 WEB-ACTIVEX AccSync.AccSubNotHandler ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A8ABE123-FAC4-41C1-ABA3-051B6F112B83"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A8ABE123-FAC4-41C1-ABA3-051B6F112B83/si"; metadata:policy security-ips drop; classtype:attempted-user; 7884 WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|8|00|A|00|B|00|E|00|1|00|2|00|3|00|-|00|F|00|A|00|C|00|4|00|-|00|4|00|1|00|C|00|1|00|-|00|A|00|B|00|A|00|3|00|-|00|0|00|5|00|1|00|B|00|6|00|F|00|1|00|1|00|2|00|B|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x008\x00A\x00B\x00E\x001\x002\x003\x00-\x00F\x00A\x00C\x004\x00-\x004\x001\x00C\x001\x00-\x00A\x00B\x00A\x003\x00-\x000\x005\x001\x00B\x006\x00F\x001\x001\x002\x00B\x008\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7885 WEB-ACTIVEX AolCalSvr.ACCalendarListCtrl ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9F62797E-1249-4596-9FF7-AC6D851A542A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F62797E-1249-4596-9FF7-AC6D851A542A/si"; metadata:policy security-ips drop; classtype:attempted-user; 7886 WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|F|00|6|00|2|00|7|00|9|00|7|00|E|00|-|00|1|00|2|00|4|00|9|00|-|00|4|00|5|00|9|00|6|00|-|00|9|00|F|00|F|00|7|00|-|00|A|00|C|00|6|00|D|00|8|00|5|00|1|00|A|00|5|00|4|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x006\x002\x007\x009\x007\x00E\x00-\x001\x002\x004\x009\x00-\x004\x005\x009\x006\x00-\x009\x00F\x00F\x007\x00-\x00A\x00C\x006\x00D\x008\x005\x001\x00A\x005\x004\x002\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7887 WEB-ACTIVEX AolCalSvr.ACDictionary ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; metadata:policy security-ips drop; classtype:attempted-user; 7890 WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|4|00|7|00|7|00|1|00|6|00|9|00|-|00|4|00|7|00|5|00|2|00|-|00|4|00|1|00|D|00|C|00|-|00|A|00|B|00|0|00|F|00|-|00|C|00|5|00|0|00|E|00|B|00|A|00|7|00|5|00|6|00|4|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x004\x007\x007\x001\x006\x009\x00-\x004\x007\x005\x002\x00-\x004\x001\x00D\x00C\x00-\x00A\x00B\x000\x00F\x00-\x00C\x005\x000\x00E\x00B\x00A\x007\x005\x006\x004\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7891 WEB-ACTIVEX AOL.MemExpWz ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D9F99C6B-A3A6-11D4-AF64-444553546170"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D9F99C6B-A3A6-11D4-AF64-444553546170/si"; metadata:policy security-ips drop; classtype:attempted-user; 7892 WEB-ACTIVEX AOL Phobos Class ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|F|00|9|00|9|00|C|00|6|00|B|00|-|00|A|00|3|00|A|00|6|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|F|00|6|00|4|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|6|00|1|00|7|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x00F\x009\x009\x00C\x006\x00B\x00-\x00A\x003\x00A\x006\x00-\x001\x001\x00D\x004\x00-\x00A\x00F\x006\x004\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x006\x001\x007\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7893 WEB-ACTIVEX AOL Phobos Class ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D670D0B3-05AB-4115-9F87-D983EF1AC747"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D670D0B3-05AB-4115-9F87-D983EF1AC747/si"; metadata:policy security-ips drop; classtype:attempted-user; 7894 WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|6|00|7|00|0|00|D|00|0|00|B|00|3|00|-|00|0|00|5|00|A|00|B|00|-|00|4|00|1|00|1|00|5|00|-|00|9|00|F|00|8|00|7|00|-|00|D|00|9|00|8|00|3|00|E|00|F|00|1|00|A|00|C|00|7|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x006\x007\x000\x00D\x000\x00B\x003\x00-\x000\x005\x00A\x00B\x00-\x004\x001\x001\x005\x00-\x009\x00F\x008\x007\x00-\x00D\x009\x008\x003\x00E\x00F\x001\x00A\x00C\x007\x004\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7895 WEB-ACTIVEX AOL.PicDownloadCtrl ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E0CB08CE-AB3D-4779-9C77-62A439BFE6C3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0CB08CE-AB3D-4779-9C77-62A439BFE6C3/si"; metadata:policy security-ips drop; classtype:attempted-user; 7896 WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|0|00|C|00|B|00|0|00|8|00|C|00|E|00|-|00|A|00|B|00|3|00|D|00|-|00|4|00|7|00|7|00|9|00|-|00|9|00|C|00|7|00|7|00|-|00|6|00|2|00|A|00|4|00|3|00|9|00|B|00|F|00|E|00|6|00|C|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00C\x00B\x000\x008\x00C\x00E\x00-\x00A\x00B\x003\x00D\x00-\x004\x007\x007\x009\x00-\x009\x00C\x007\x007\x00-\x006\x002\x00A\x004\x003\x009\x00B\x00F\x00E\x006\x00C\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7897 WEB-ACTIVEX AOL.PicEditCtrl ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6/si"; metadata:policy security-ips drop; classtype:attempted-user; 7898 WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|1|00|B|00|0|00|9|00|0|00|6|00|6|00|-|00|C|00|9|00|5|00|C|00|-|00|4|00|E|00|F|00|6|00|-|00|8|00|D|00|F|00|D|00|-|00|3|00|D|00|D|00|0|00|A|00|F|00|E|00|6|00|1|00|0|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x001\x00B\x000\x009\x000\x006\x006\x00-\x00C\x009\x005\x00C\x00-\x004\x00E\x00F\x006\x00-\x008\x00D\x00F\x00D\x00-\x003\x00D\x00D\x000\x00A\x00F\x00E\x006\x001\x000\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7899 WEB-ACTIVEX AOL.PicSsvrCtrl ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"98BFD494-F6AD-4794-9038-832C0654CC43"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98BFD494-F6AD-4794-9038-832C0654CC43/si"; metadata:policy security-ips drop; classtype:attempted-user; 7900 WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|8|00|B|00|F|00|D|00|4|00|9|00|4|00|-|00|F|00|6|00|A|00|D|00|-|00|4|00|7|00|9|00|4|00|-|00|9|00|0|00|3|00|8|00|-|00|8|00|3|00|2|00|C|00|0|00|6|00|5|00|4|00|C|00|C|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x008\x00B\x00F\x00D\x004\x009\x004\x00-\x00F\x006\x00A\x00D\x00-\x004\x007\x009\x004\x00-\x009\x000\x003\x008\x00-\x008\x003\x002\x00C\x000\x006\x005\x004\x00C\x00C\x004\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7901 WEB-ACTIVEX AOL.UPFCtrl ActiveX CLSID unicode access 23567 attempted-user 2006-3134 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"229B78D5-38F5-11D5-9001-00C04F4C3B9F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*229B78D5-38F5-11D5-9001-00C04F4C3B9F\s*}?\s*(?P=q9)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7902 WEB-ACTIVEX CDDBControlAOL.CDDBAOLControl ActiveX clsid access www.kb.cert.org/vuls/id/701121 23567 attempted-user 2006-3134 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|9|00|B|00|7|00|8|00|D|00|5|00|-|00|3|00|8|00|F|00|5|00|-|00|1|00|1|00|D|00|5|00|-|00|9|00|0|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|4|00|C|00|3|00|B|00|9|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q10>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7903 WEB-ACTIVEX CDDBControlAOL.CDDBAOLControl ActiveX clsid unicode access www.kb.cert.org/vuls/id/701121 attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3DD53D40-7B8B-11D0-B013-00AA0059CE02"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3DD53D40-7B8B-11D0-B013-00AA0059CE02\s*}?\s*(?P=q13)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7904 WEB-ACTIVEX CDL Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|D|00|D|00|5|00|3|00|D|00|4|00|0|00|-|00|7|00|B|00|8|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|0|00|1|00|3|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|9|00|C|00|E|00|0|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q14>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q14)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7905 WEB-ACTIVEX CDL Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CD00020C-8B95-11D1-82DB-00C04FB1625D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CD00020C-8B95-11D1-82DB-00C04FB1625D/si"; metadata:policy security-ips drop; classtype:attempted-user; 7906 WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|D|00|0|00|0|00|0|00|2|00|0|00|C|00|-|00|8|00|B|00|9|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|1|00|6|00|2|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00D\x000\x000\x000\x002\x000\x00C\x00-\x008\x00B\x009\x005\x00-\x001\x001\x00D\x001\x00-\x008\x002\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x001\x006\x002\x005\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7907 WEB-ACTIVEX CDO.KnowledgeSearchFolder ActiveX CLSID unicode access 24188 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"421516C1-3CF8-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*421516C1-3CF8-11D2-952A-00C04FA34F05\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7908 WEB-ACTIVEX DXImageTransform.Microsoft.Chroma ActiveX clsid access www.securityfocus.com/archive/1/443907 24188 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|1|00|5|00|1|00|6|00|C|00|1|00|-|00|3|00|C|00|F|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7909 WEB-ACTIVEX DXImageTransform.Microsoft.Chroma ActiveX clsid unicode access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ADC6CB86-424C-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADC6CB86-424C-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; classtype:attempted-user; 7910 WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|D|00|C|00|6|00|C|00|B|00|8|00|6|00|-|00|4|00|2|00|4|00|C|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00D\x00C\x006\x00C\x00B\x008\x006\x00-\x004\x002\x004\x00C\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7911 WEB-ACTIVEX DXImageTransform.Microsoft.DropShadow ActiveX CLSID unicode access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8241F015-84D3-11d2-97E6-0000F803FF7A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8241F015-84D3-11d2-97E6-0000F803FF7A/si"; metadata:policy security-ips drop; classtype:attempted-user; 7912 WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|2|00|4|00|1|00|F|00|0|00|1|00|5|00|-|00|8|00|4|00|D|00|3|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|7|00|E|00|6|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|3|00|F|00|F|00|7|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x002\x004\x001\x00F\x000\x001\x005\x00-\x008\x004\x00D\x003\x00-\x001\x001\x00d\x002\x00-\x009\x007\x00E\x006\x00-\x000\x000\x000\x000\x00F\x008\x000\x003\x00F\x00F\x007\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7913 WEB-ACTIVEX DX3DTransform.Microsoft.Shapes ActiveX CLSID unicode access www.securityfocus.com/archive/1/443907 19340 attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E673DCF2-C316-4C6F-AA96-4E4DC6DC291E"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4C6F-AA96-4E4DC6DC291E/si"; metadata:policy security-ips drop; classtype:attempted-user; 7914 WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID access www.microsoft.com/technet/security/Bulletin/MS06-042.mspx 19340 attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|6|00|7|00|3|00|D|00|C|00|F|00|2|00|-|00|C|00|3|00|1|00|6|00|-|00|4|00|C|00|6|00|F|00|-|00|A|00|A|00|9|00|6|00|-|00|4|00|E|00|4|00|D|00|C|00|6|00|D|00|C|00|2|00|9|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x006\x007\x003\x00D\x00C\x00F\x002\x00-\x00C\x003\x001\x006\x00-\x004\x00C\x006\x00F\x00-\x00A\x00A\x009\x006\x00-\x004\x00E\x004\x00D\x00C\x006\x00D\x00C\x002\x009\x001\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7915 WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX CLSID unicode access www.microsoft.com/technet/security/Bulletin/MS06-042.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FD853CD9-7F86-11D0-8252-00C04FD85AB4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD853CD9-7F86-11D0-8252-00C04FD85AB4/si"; metadata:policy security-ips drop; classtype:attempted-user; 7916 WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|D|00|8|00|5|00|3|00|C|00|D|00|9|00|-|00|7|00|F|00|8|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|2|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|5|00|A|00|B|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x008\x005\x003\x00C\x00D\x009\x00-\x007\x00F\x008\x006\x00-\x001\x001\x00D\x000\x00-\x008\x002\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x005\x00A\x00B\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7917 WEB-ACTIVEX CLSID_IMimeInternational ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1853E19A-4E54-4190-8DEB-2E1CC947CD60"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1853E19A-4E54-4190-8DEB-2E1CC947CD60/si"; metadata:policy security-ips drop; classtype:attempted-user; 7918 WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|5|00|3|00|E|00|1|00|9|00|A|00|-|00|4|00|E|00|5|00|4|00|-|00|4|00|1|00|9|00|0|00|-|00|8|00|D|00|E|00|B|00|-|00|2|00|E|00|1|00|C|00|C|00|9|00|4|00|7|00|C|00|D|00|6|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x005\x003\x00E\x001\x009\x00A\x00-\x004\x00E\x005\x004\x00-\x004\x001\x009\x000\x00-\x008\x00D\x00E\x00B\x00-\x002\x00E\x001\x00C\x00C\x009\x004\x007\x00C\x00D\x006\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7919 WEB-ACTIVEX CoAxTrackVideo Class ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F2C3FAAE-C8AC-11D0-BCDB-00C04FD8D5B6/si"; metadata:policy security-ips drop; classtype:attempted-user; 7920 WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|2|00|C|00|3|00|F|00|A|00|A|00|E|00|-|00|C|00|8|00|A|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|C|00|D|00|B|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|D|00|5|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x002\x00C\x003\x00F\x00A\x00A\x00E\x00-\x00C\x008\x00A\x00C\x00-\x001\x001\x00D\x000\x00-\x00B\x00C\x00D\x00B\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00D\x005\x00B\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7921 WEB-ACTIVEX DsPropertyPages.OU ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E31E87C4-86EA-4940-9B8A-5BD5D179A737"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E31E87C4-86EA-4940-9B8A-5BD5D179A737/si"; metadata:policy security-ips drop; classtype:attempted-user; 7922 WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID access osvdb.org/27057 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|3|00|1|00|E|00|8|00|7|00|C|00|4|00|-|00|8|00|6|00|E|00|A|00|-|00|4|00|9|00|4|00|0|00|-|00|9|00|B|00|8|00|A|00|-|00|5|00|B|00|D|00|5|00|D|00|1|00|7|00|9|00|A|00|7|00|3|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x003\x001\x00E\x008\x007\x00C\x004\x00-\x008\x006\x00E\x00A\x00-\x004\x009\x004\x000\x00-\x009\x00B\x008\x00A\x00-\x005\x00B\x00D\x005\x00D\x001\x007\x009\x00A\x007\x003\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7923 WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX CLSID unicode access osvdb.org/27057 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E71B4063-3E59-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E71B4063-3E59-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; classtype:attempted-user; 7924 WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|7|00|1|00|B|00|4|00|0|00|6|00|3|00|-|00|3|00|E|00|5|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x007\x001\x00B\x004\x000\x006\x003\x00-\x003\x00E\x005\x009\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7925 WEB-ACTIVEX DXImageTransform.Microsoft.Shadow ActiveX CLSID unicode access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*385A91BC-1E8A-4E4A-A7A6-F4FC1E6CA1BD/si"; metadata:policy security-ips drop; classtype:attempted-user; 7926 WEB-ACTIVEX DXTFilter ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|8|00|5|00|A|00|9|00|1|00|B|00|C|00|-|00|1|00|E|00|8|00|A|00|-|00|4|00|E|00|4|00|A|00|-|00|A|00|7|00|A|00|6|00|-|00|F|00|4|00|F|00|C|00|1|00|E|00|6|00|C|00|A|00|1|00|B|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x008\x005\x00A\x009\x001\x00B\x00C\x00-\x001\x00E\x008\x00A\x00-\x004\x00E\x004\x00A\x00-\x00A\x007\x00A\x006\x00-\x00F\x004\x00F\x00C\x001\x00E\x006\x00C\x00A\x001\x00B\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7927 WEB-ACTIVEX DXTFilter ActiveX CLSID unicode access attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"79EAC9E7-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E7-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q11)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7928 WEB-ACTIVEX file or local Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|7|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q12>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q12)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7929 WEB-ACTIVEX file or local Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FEF10FA2-355E-4E06-9381-9B24D7F7CC88"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FEF10FA2-355E-4E06-9381-9B24D7F7CC88/si"; metadata:policy security-ips drop; classtype:attempted-user; 7930 WEB-ACTIVEX FolderItem2 ActiveX CLSID access browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|E|00|F|00|1|00|0|00|F|00|A|00|2|00|-|00|3|00|5|00|5|00|E|00|-|00|4|00|E|00|0|00|6|00|-|00|9|00|3|00|8|00|1|00|-|00|9|00|B|00|2|00|4|00|D|00|7|00|F|00|7|00|C|00|C|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00E\x00F\x001\x000\x00F\x00A\x002\x00-\x003\x005\x005\x00E\x00-\x004\x00E\x000\x006\x00-\x009\x003\x008\x001\x00-\x009\x00B\x002\x004\x00D\x007\x00F\x007\x00C\x00C\x008\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7931 WEB-ACTIVEX FolderItem2 ActiveX CLSID unicode access browserfun.blogspot.com/2006/07/mobb-15-folderitem-access.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"53C74826-AB99-4D33-ACA4-3117F51D3788"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*53C74826-AB99-4D33-ACA4-3117F51D3788/si"; metadata:policy security-ips drop; classtype:attempted-user; 7932 WEB-ACTIVEX FolderItems3 ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|3|00|C|00|7|00|4|00|8|00|2|00|6|00|-|00|A|00|B|00|9|00|9|00|-|00|4|00|D|00|3|00|3|00|-|00|A|00|C|00|A|00|4|00|-|00|3|00|1|00|1|00|7|00|F|00|5|00|1|00|D|00|3|00|7|00|8|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x003\x00C\x007\x004\x008\x002\x006\x00-\x00A\x00B\x009\x009\x00-\x004\x00D\x003\x003\x00-\x00A\x00C\x00A\x004\x00-\x003\x001\x001\x007\x00F\x005\x001\x00D\x003\x007\x008\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7933 WEB-ACTIVEX FolderItems3 ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9F8E6421-3D9B-11D2-952A-00C04FA34F05"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9F8E6421-3D9B-11D2-952A-00C04FA34F05/si"; metadata:policy security-ips drop; classtype:attempted-user; 7936 WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|F|00|8|00|E|00|6|00|4|00|2|00|1|00|-|00|3|00|D|00|9|00|B|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|5|00|2|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|F|00|0|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00F\x008\x00E\x006\x004\x002\x001\x00-\x003\x00D\x009\x00B\x00-\x001\x001\x00D\x002\x00-\x009\x005\x002\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x00F\x000\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7937 WEB-ACTIVEX DXImageTransform.Microsoft.Glow ActiveX CLSID unicode access www.securityfocus.com/archive/1/443907 attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"79EAC9E4-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E4-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q5)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7938 WEB-ACTIVEX gopher Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|4|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7939 WEB-ACTIVEX gopher Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"623E2882-FC0E-11D1-9A77-0000F8756A10"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*623E2882-FC0E-11D1-9A77-0000F8756A10/si"; metadata:policy security-ips drop; classtype:attempted-user; 7940 WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID access osvdb.org/27109 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|2|00|3|00|E|00|2|00|8|00|8|00|2|00|-|00|F|00|C|00|0|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|A|00|7|00|7|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|6|00|A|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x002\x003\x00E\x002\x008\x008\x002\x00-\x00F\x00C\x000\x00E\x00-\x001\x001\x00D\x001\x00-\x009\x00A\x007\x007\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x006\x00A\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7941 WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX CLSID unicode access osvdb.org/27109 attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"79EAC9E2-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E2-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7942 WEB-ACTIVEX http Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|2|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7943 WEB-ACTIVEX http Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"79EAC9E5-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E5-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q7)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7944 WEB-ACTIVEX https Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|5|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7945 WEB-ACTIVEX https Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3A04D93B-1EDD-4F3F-A375-A03EC19572C4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A04D93B-1EDD-4F3F-A375-A03EC19572C4/si"; metadata:policy security-ips drop; classtype:attempted-user; 7946 WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID access www.securityfocus.com/archive/1/443907 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|A|00|0|00|4|00|D|00|9|00|3|00|B|00|-|00|1|00|E|00|D|00|D|00|-|00|4|00|F|00|3|00|F|00|-|00|A|00|3|00|7|00|5|00|-|00|A|00|0|00|3|00|E|00|C|00|1|00|9|00|5|00|7|00|2|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x00A\x000\x004\x00D\x009\x003\x00B\x00-\x001\x00E\x00D\x00D\x00-\x004\x00F\x003\x00F\x00-\x00A\x003\x007\x005\x00-\x00A\x000\x003\x00E\x00C\x001\x009\x005\x007\x002\x00C\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7947 WEB-ACTIVEX DXImageTransform.Microsoft.MaskFilter ActiveX CLSID unicode access www.securityfocus.com/archive/1/443907 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AF604EFE-8897-11D1-B944-00A0C90312E1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF604EFE-8897-11D1-B944-00A0C90312E1/si"; metadata:policy security-ips drop; classtype:attempted-user; 7948 WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|6|00|0|00|4|00|E|00|F|00|E|00|-|00|8|00|8|00|9|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|4|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|3|00|1|00|2|00|E|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x006\x000\x004\x00E\x00F\x00E\x00-\x008\x008\x009\x007\x00-\x001\x001\x00D\x001\x00-\x00B\x009\x004\x004\x00-\x000\x000\x00A\x000\x00C\x009\x000\x003\x001\x002\x00E\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7949 WEB-ACTIVEX Microsoft Common Browser Architecture ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B6FFC24C-7E13-11D0-9B47-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FFC24C-7E13-11D0-9B47-00C04FC2F51D/si"; metadata:policy security-ips drop; classtype:attempted-user; 7950 WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|6|00|F|00|F|00|C|00|2|00|4|00|C|00|-|00|7|00|E|00|1|00|3|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|4|00|7|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x006\x00F\x00F\x00C\x002\x004\x00C\x00-\x007\x00E\x001\x003\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x004\x007\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7951 WEB-ACTIVEX Microsoft DirectAnimation Control ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"69AD90EF-1C20-11D1-8801-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69AD90EF-1C20-11D1-8801-00C04FC29D46/si"; metadata:policy security-ips drop; classtype:attempted-user; 7952 WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|9|00|A|00|D|00|9|00|0|00|E|00|F|00|-|00|1|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|0|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x009\x00A\x00D\x009\x000\x00E\x00F\x00-\x001\x00C\x002\x000\x00-\x001\x001\x00D\x001\x00-\x008\x008\x000\x001\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7953 WEB-ACTIVEX Microsoft DirectAnimation Windowed Control ActiveX CLSID unicode access attempted-user 1999-0384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8BD21D30-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D30-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; classtype:attempted-user; 7954 WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms99-001.mspx attempted-user 1999-0384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|3|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x003\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7955 WEB-ACTIVEX Microsoft Forms 2.0 ComboBox ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms99-001.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8BD21D20-EC42-11CE-9E0D-00AA006002F3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8BD21D20-EC42-11CE-9E0D-00AA006002F3/si"; metadata:policy security-ips drop; classtype:attempted-user; 7956 WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID access osvdb.org/27372 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|B|00|D|00|2|00|1|00|D|00|2|00|0|00|-|00|E|00|C|00|4|00|2|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|E|00|0|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|0|00|0|00|2|00|F|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00B\x00D\x002\x001\x00D\x002\x000\x00-\x00E\x00C\x004\x002\x00-\x001\x001\x00C\x00E\x00-\x009\x00E\x000\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x006\x000\x000\x002\x00F\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7957 WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX CLSID unicode access osvdb.org/27372 attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"79EAC9E6-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E6-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q9)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7958 WEB-ACTIVEX mk Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q10>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7959 WEB-ACTIVEX mk Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7849596A-48EA-486E-8937-A2A3009F31A9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7849596A-48EA-486E-8937-A2A3009F31A9/si"; metadata:policy security-ips drop; classtype:attempted-user; 7970 WEB-ACTIVEX PostBootReminder object ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|8|00|4|00|9|00|5|00|9|00|6|00|A|00|-|00|4|00|8|00|E|00|A|00|-|00|4|00|8|00|6|00|E|00|-|00|8|00|9|00|3|00|7|00|-|00|A|00|2|00|A|00|3|00|0|00|0|00|9|00|F|00|3|00|1|00|A|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x008\x004\x009\x005\x009\x006\x00A\x00-\x004\x008\x00E\x00A\x00-\x004\x008\x006\x00E\x00-\x008\x009\x003\x007\x00-\x00A\x002\x00A\x003\x000\x000\x009\x00F\x003\x001\x00A\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7971 WEB-ACTIVEX PostBootReminder object ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F1029E5B-CB5B-11D0-8D59-00C04FD91AC0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F1029E5B-CB5B-11D0-8D59-00C04FD91AC0/si"; metadata:policy security-ips drop; classtype:attempted-user; 7974 WEB-ACTIVEX Rendezvous Class ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|1|00|0|00|2|00|9|00|E|00|5|00|B|00|-|00|C|00|B|00|5|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|5|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|1|00|A|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x001\x000\x002\x009\x00E\x005\x00B\x00-\x00C\x00B\x005\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x005\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x009\x001\x00A\x00C\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7975 WEB-ACTIVEX Rendezvous Class ActiveX CLSID unicode access 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FBEB8A05-BEEE-4442-804E-409D6C4515E9"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FBEB8A05-BEEE-4442-804E-409D6C4515E9/si"; metadata:policy security-ips drop; classtype:attempted-user; 7976 WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|B|00|E|00|B|00|8|00|A|00|0|00|5|00|-|00|B|00|E|00|E|00|E|00|-|00|4|00|4|00|4|00|2|00|-|00|8|00|0|00|4|00|E|00|-|00|4|00|0|00|9|00|D|00|6|00|C|00|4|00|5|00|1|00|5|00|E|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00B\x00E\x00B\x008\x00A\x000\x005\x00-\x00B\x00E\x00E\x00E\x00-\x004\x004\x004\x002\x00-\x008\x000\x004\x00E\x00-\x004\x000\x009\x00D\x006\x00C\x004\x005\x001\x005\x00E\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7977 WEB-ACTIVEX ShellFolder for CD Burning ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F2175210-368C-11D0-AD81-00A0C90DC8D9\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SnapshotPath|CompressedPath)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F2175210-368C-11D0-AD81-00A0C90DC8D9\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(SnapshotPath|CompressedPath))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 7981 WEB-ACTIVEX Snapshot Viewer General Property Page Object ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user 2008-2463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|2|00|1|00|7|00|5|00|2|00|1|00|0|00|-|00|3|00|6|00|8|00|C|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|8|00|1|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 7982 WEB-ACTIVEX Snapshot Viewer General Property Page Object ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms08-041.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; metadata:policy security-ips drop; classtype:attempted-user; 7983 WEB-ACTIVEX SuperBuddy Class ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|9|00|5|00|0|00|4|00|B|00|8|00|-|00|5|00|0|00|D|00|1|00|-|00|4|00|A|00|A|00|8|00|-|00|B|00|4|00|D|00|6|00|-|00|9|00|5|00|C|00|8|00|F|00|5|00|8|00|A|00|6|00|4|00|1|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x009\x005\x000\x004\x00B\x008\x00-\x005\x000\x00D\x001\x00-\x004\x00A\x00A\x008\x00-\x00B\x004\x00D\x006\x00-\x009\x005\x00C\x008\x00F\x005\x008\x00A\x006\x004\x001\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7984 WEB-ACTIVEX SuperBuddy Class ActiveX CLSID unicode access 19030 attempted-user 2006-3730 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E5DF9D10-3B52-11D1-83E8-00A0C90DC849"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 7985 WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms06-057.mspx 19030 attempted-user 2006-3730 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|5|00|D|00|F|00|9|00|D|00|1|00|0|00|-|00|3|00|B|00|5|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|3|00|E|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|D|00|C|00|8|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x005\x00D\x00F\x009\x00D\x001\x000\x00-\x003\x00B\x005\x002\x00-\x001\x001\x00D\x001\x00-\x008\x003\x00E\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x00D\x00C\x008\x004\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7986 WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms06-057.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"844F4806-E8A8-11D2-9652-00C04FC30871"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*844F4806-E8A8-11D2-9652-00C04FC30871/si"; metadata:policy security-ips drop; classtype:attempted-user; 7987 WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|4|00|4|00|F|00|4|00|8|00|0|00|6|00|-|00|E|00|8|00|A|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|6|00|5|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|3|00|0|00|8|00|7|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x004\x004\x00F\x004\x008\x000\x006\x00-\x00E\x008\x00A\x008\x00-\x001\x001\x00D\x002\x00-\x009\x006\x005\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x003\x000\x008\x007\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7988 WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.2 ActiveX CLSID unicode access 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D2923B86-15F1-46FF-A19A-DE825F919576"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2923B86-15F1-46FF-A19A-DE825F919576/si"; metadata:policy security-ips drop; classtype:attempted-user; 7989 WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|2|00|9|00|2|00|3|00|B|00|8|00|6|00|-|00|1|00|5|00|F|00|1|00|-|00|4|00|6|00|F|00|F|00|-|00|A|00|1|00|9|00|A|00|-|00|D|00|E|00|8|00|2|00|5|00|F|00|9|00|1|00|9|00|5|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x009\x002\x003\x00B\x008\x006\x00-\x001\x005\x00F\x001\x00-\x004\x006\x00F\x00F\x00-\x00A\x001\x009\x00A\x00-\x00D\x00E\x008\x002\x005\x00F\x009\x001\x009\x005\x007\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7990 WEB-ACTIVEX WIA FileSystem USD ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"33D9A761-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A761-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; classtype:attempted-user; 7991 WEB-ACTIVEX ACM Class Manager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|1|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x001\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7992 WEB-ACTIVEX ACM Class Manager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E846F0A0-D367-11D1-8286-00A0C9231C29"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E846F0A0-D367-11D1-8286-00A0C9231C29/si"; metadata:policy security-ips drop; classtype:attempted-user; 7993 WEB-ACTIVEX clbcatex.dll ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|8|00|4|00|6|00|F|00|0|00|A|00|0|00|-|00|D|00|3|00|6|00|7|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|2|00|8|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|2|00|3|00|1|00|C|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x004\x006\x00F\x000\x00A\x000\x00-\x00D\x003\x006\x007\x00-\x001\x001\x00D\x001\x00-\x008\x002\x008\x006\x00-\x000\x000\x00A\x000\x00C\x009\x002\x003\x001\x00C\x002\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7994 WEB-ACTIVEX clbcatex.dll ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3/si"; metadata:policy security-ips drop; classtype:attempted-user; 7995 WEB-ACTIVEX clbcatq.dll ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|4|00|B|00|3|00|A|00|E|00|C|00|B|00|-|00|D|00|F|00|D|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|D|00|A|00|A|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|8|00|5|00|C|00|F|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00B\x003\x00A\x00E\x00C\x00B\x00-\x00D\x00F\x00D\x006\x00-\x001\x001\x00D\x001\x00-\x009\x00D\x00A\x00A\x00-\x000\x000\x008\x000\x005\x00F\x008\x005\x00C\x00F\x00E\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7996 WEB-ACTIVEX clbcatq.dll ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8EE42293-C315-11D0-8D6F-00A0C9A06E1F"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8EE42293-C315-11D0-8D6F-00A0C9A06E1F/si"; metadata:policy security-ips drop; classtype:attempted-user; 7997 WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|E|00|E|00|4|00|2|00|2|00|9|00|3|00|-|00|C|00|3|00|1|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|D|00|6|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|A|00|0|00|6|00|E|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x00E\x00E\x004\x002\x002\x009\x003\x00-\x00C\x003\x001\x005\x00-\x001\x001\x00D\x000\x00-\x008\x00D\x006\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x00A\x000\x006\x00E\x001\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7998 WEB-ACTIVEX CLSID_ApprenticeICW ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"18AB439E-FCF4-40D4-90DA-F79BAA3B0655"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18AB439E-FCF4-40D4-90DA-F79BAA3B0655/si"; metadata:policy security-ips drop; classtype:attempted-user; 7999 WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|A|00|B|00|4|00|3|00|9|00|E|00|-|00|F|00|C|00|F|00|4|00|-|00|4|00|0|00|D|00|4|00|-|00|9|00|0|00|D|00|A|00|-|00|F|00|7|00|9|00|B|00|A|00|A|00|3|00|B|00|0|00|6|00|5|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00A\x00B\x004\x003\x009\x00E\x00-\x00F\x00C\x00F\x004\x00-\x004\x000\x00D\x004\x00-\x009\x000\x00D\x00A\x00-\x00F\x007\x009\x00B\x00A\x00A\x003\x00B\x000\x006\x005\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8000 WEB-ACTIVEX CLSID_CDIDeviceActionConfigPage ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"67DCC487-AA48-11D1-8F4F-00C04FB611C7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DCC487-AA48-11D1-8F4F-00C04FB611C7/si"; metadata:policy security-ips drop; classtype:attempted-user; 8001 WEB-ACTIVEX CommunicationManager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|D|00|C|00|C|00|4|00|8|00|7|00|-|00|A|00|A|00|4|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|F|00|4|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|1|00|1|00|C|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x007\x00D\x00C\x00C\x004\x008\x007\x00-\x00A\x00A\x004\x008\x00-\x001\x001\x00D\x001\x00-\x008\x00F\x004\x00F\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x006\x001\x001\x00C\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8002 WEB-ACTIVEX CommunicationManager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/si"; metadata:policy security-ips drop; classtype:attempted-user; 8003 WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|2|00|C|00|A|00|3|00|B|00|C|00|F|00|-|00|3|00|B|00|9|00|B|00|-|00|4|00|1|00|9|00|E|00|-|00|A|00|3|00|D|00|6|00|-|00|5|00|D|00|2|00|8|00|C|00|0|00|B|00|0|00|B|00|5|00|0|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x002\x00C\x00A\x003\x00B\x00C\x00F\x00-\x003\x00B\x009\x00B\x00-\x004\x001\x009\x00E\x00-\x00A\x003\x00D\x006\x00-\x005\x00D\x002\x008\x00C\x000\x00B\x000\x00B\x005\x000\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8004 WEB-ACTIVEX Content.mbcontent.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FD78D554-4C6E-11D0-970D-00A0C9191601"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD78D554-4C6E-11D0-970D-00A0C9191601/si"; metadata:policy security-ips drop; classtype:attempted-user; 8005 WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|D|00|7|00|8|00|D|00|5|00|5|00|4|00|-|00|4|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|7|00|0|00|D|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|9|00|1|00|6|00|0|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x007\x008\x00D\x005\x005\x004\x00-\x004\x00C\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x009\x007\x000\x00D\x00-\x000\x000\x00A\x000\x00C\x009\x001\x009\x001\x006\x000\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8006 WEB-ACTIVEX DiskManagement.Connection ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"860D28D0-8BF4-11CE-BE59-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860D28D0-8BF4-11CE-BE59-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8007 WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|6|00|0|00|D|00|2|00|8|00|D|00|0|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00D\x002\x008\x00D\x000\x00-\x008\x00B\x00F\x004\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8008 WEB-ACTIVEX Dutch_Dutch Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D99F7670-7F1A-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D99F7670-7F1A-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8009 WEB-ACTIVEX English_UK Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|9|00|F|00|7|00|6|00|7|00|0|00|-|00|7|00|F|00|1|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x009\x009\x00F\x007\x006\x007\x000\x00-\x007\x00F\x001\x00A\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8010 WEB-ACTIVEX English_UK Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EEED4C20-7F1B-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EEED4C20-7F1B-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8011 WEB-ACTIVEX English_US Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|E|00|E|00|D|00|4|00|C|00|2|00|0|00|-|00|7|00|F|00|1|00|B|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00E\x00E\x00D\x004\x00C\x002\x000\x00-\x007\x00F\x001\x00B\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8012 WEB-ACTIVEX English_US Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2A6EB050-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2A6EB050-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8013 WEB-ACTIVEX French_French Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|A|00|6|00|E|00|B|00|0|00|5|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x00A\x006\x00E\x00B\x000\x005\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8014 WEB-ACTIVEX French_French Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"510A4910-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*510A4910-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8015 WEB-ACTIVEX German_German Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|1|00|0|00|A|00|4|00|9|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x001\x000\x00A\x004\x009\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8016 WEB-ACTIVEX German_German Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"33D9A760-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A760-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; classtype:attempted-user; 8017 WEB-ACTIVEX ICM Class Manager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|0|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x000\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8018 WEB-ACTIVEX ICM Class Manager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410/si"; metadata:policy security-ips drop; classtype:attempted-user; 8021 WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|7|00|B|00|6|00|C|00|0|00|4|00|A|00|-|00|C|00|B|00|B|00|5|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|B|00|4|00|C|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|4|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x007\x00B\x006\x00C\x000\x004\x00A\x00-\x00C\x00B\x00B\x005\x00-\x001\x001\x00D\x000\x00-\x00B\x00B\x004\x00C\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x004\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8022 WEB-ACTIVEX ISSimpleCommandCreator.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6D36CE10-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6D36CE10-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8023 WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|D|00|3|00|6|00|C|00|E|00|1|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x00D\x003\x006\x00C\x00E\x001\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8024 WEB-ACTIVEX Italian_Italian Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3050F391-98B5-11CF-BB82-00AA00BDCE0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F391-98B5-11CF-BB82-00AA00BDCE0B/si"; metadata:policy security-ips drop; classtype:attempted-user; 8025 WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|0|00|5|00|0|00|F|00|3|00|9|00|1|00|-|00|9|00|8|00|B|00|5|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|B|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|C|00|E|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x000\x005\x000\x00F\x003\x009\x001\x00-\x009\x008\x00B\x005\x00-\x001\x001\x00C\x00F\x00-\x00B\x00B\x008\x002\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x00D\x00C\x00E\x000\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8026 WEB-ACTIVEX Microsoft HTML Window Security Proxy ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5D08B586-343A-11D0-AD46-00C04FD8FDFF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5D08B586-343A-11D0-AD46-00C04FD8FDFF/si"; metadata:policy security-ips drop; classtype:attempted-user; 8027 WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|D|00|0|00|8|00|B|00|5|00|8|00|6|00|-|00|3|00|4|00|3|00|A|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|4|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|8|00|F|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x00D\x000\x008\x00B\x005\x008\x006\x00-\x003\x004\x003\x00A\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x004\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x008\x00F\x00D\x00F\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8028 WEB-ACTIVEX Microsoft WBEM Event Subsystem ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4EFE2452-168A-11D1-BC76-00C04FB9453B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4EFE2452-168A-11D1-BC76-00C04FB9453B/si"; metadata:policy security-ips drop; classtype:attempted-user; 8029 WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|E|00|F|00|E|00|2|00|4|00|5|00|2|00|-|00|1|00|6|00|8|00|A|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|C|00|7|00|6|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|9|00|4|00|5|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00E\x00F\x00E\x002\x004\x005\x002\x00-\x001\x006\x008\x00A\x00-\x001\x001\x00D\x001\x00-\x00B\x00C\x007\x006\x00-\x000\x000\x00C\x000\x004\x00F\x00B\x009\x004\x005\x003\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8030 WEB-ACTIVEX MidiOut Class Manager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"466D66FA-9616-11D2-9342-0000F875AE17"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*466D66FA-9616-11D2-9342-0000F875AE17/si"; metadata:policy security-ips drop; classtype:attempted-user; 8031 WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|6|00|6|00|D|00|6|00|6|00|F|00|A|00|-|00|9|00|6|00|1|00|6|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|3|00|4|00|2|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|A|00|E|00|1|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x006\x006\x00D\x006\x006\x00F\x00A\x00-\x009\x006\x001\x006\x00-\x001\x001\x00D\x002\x00-\x009\x003\x004\x002\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x00A\x00E\x001\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8032 WEB-ACTIVEX Mslablti.MarshalableTI.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ECABB0BF-7F19-11D2-978E-0000F8757E2A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ECABB0BF-7F19-11D2-978E-0000F8757E2A/si"; metadata:policy security-ips drop; classtype:attempted-user; 8033 WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|C|00|A|00|B|00|B|00|0|00|B|00|F|00|-|00|7|00|F|00|1|00|9|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|7|00|8|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|7|00|5|00|7|00|E|00|2|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x00C\x00A\x00B\x00B\x000\x00B\x00F\x00-\x007\x00F\x001\x009\x00-\x001\x001\x00D\x002\x00-\x009\x007\x008\x00E\x00-\x000\x000\x000\x000\x00F\x008\x007\x005\x007\x00E\x002\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8034 WEB-ACTIVEX QC.MessageMover.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B0516FF0-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0516FF0-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8035 WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|0|00|5|00|1|00|6|00|F|00|F|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x005\x001\x006\x00F\x00F\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8036 WEB-ACTIVEX Spanish_Modern Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9478F640-7F1C-11CE-BE57-00AA0051FE20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9478F640-7F1C-11CE-BE57-00AA0051FE20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8037 WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|4|00|7|00|8|00|F|00|6|00|4|00|0|00|-|00|7|00|F|00|1|00|C|00|-|00|1|00|1|00|C|00|E|00|-|00|B|00|E|00|5|00|7|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|1|00|F|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x004\x007\x008\x00F\x006\x004\x000\x00-\x007\x00F\x001\x00C\x00-\x001\x001\x00C\x00E\x00-\x00B\x00E\x005\x007\x00-\x000\x000\x00A\x00A\x000\x000\x005\x001\x00F\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8038 WEB-ACTIVEX Swedish_Default Stemmer ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"85BBD920-42A0-1069-A2E4-08002B30309D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85BBD920-42A0-1069-A2E4-08002B30309D/si"; metadata:policy security-ips drop; classtype:attempted-user; 8039 WEB-ACTIVEX syncui.dll ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|5|00|B|00|B|00|D|00|9|00|2|00|0|00|-|00|4|00|2|00|A|00|0|00|-|00|1|00|0|00|6|00|9|00|-|00|A|00|2|00|E|00|4|00|-|00|0|00|8|00|0|00|0|00|2|00|B|00|3|00|0|00|3|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00B\x00B\x00D\x009\x002\x000\x00-\x004\x002\x00A\x000\x00-\x001\x000\x006\x009\x00-\x00A\x002\x00E\x004\x00-\x000\x008\x000\x000\x002\x00B\x003\x000\x003\x000\x009\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8040 WEB-ACTIVEX syncui.dll ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"860BB310-5D01-11D0-BD3B-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*860BB310-5D01-11D0-BD3B-00A0C911CE86/si"; metadata:policy security-ips drop; classtype:attempted-user; 8041 WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|6|00|0|00|B|00|B|00|3|00|1|00|0|00|-|00|5|00|D|00|0|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|3|00|B|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x006\x000\x00B\x00B\x003\x001\x000\x00-\x005\x00D\x000\x001\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x003\x00B\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8042 WEB-ACTIVEX VFW Capture Class Manager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CC7BFB42-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB42-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; classtype:attempted-user; 8043 WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|2|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x002\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8044 WEB-ACTIVEX Video Effect Class Manager 1 Input ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CC7BFB43-F175-11D1-A392-00E0291F3959"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC7BFB43-F175-11D1-A392-00E0291F3959/si"; metadata:policy security-ips drop; classtype:attempted-user; 8045 WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|C|00|7|00|B|00|F|00|B|00|4|00|3|00|-|00|F|00|1|00|7|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|3|00|9|00|2|00|-|00|0|00|0|00|E|00|0|00|2|00|9|00|1|00|F|00|3|00|9|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00C\x007\x00B\x00F\x00B\x004\x003\x00-\x00F\x001\x007\x005\x00-\x001\x001\x00D\x001\x00-\x00A\x003\x009\x002\x00-\x000\x000\x00E\x000\x002\x009\x001\x00F\x003\x009\x005\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8046 WEB-ACTIVEX Video Effect Class Manager 2 Input ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"33D9A762-90C8-11D0-BD43-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*33D9A762-90C8-11D0-BD43-00A0C911CE86/si"; metadata:policy security-ips drop; classtype:attempted-user; 8047 WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|3|00|D|00|9|00|A|00|7|00|6|00|2|00|-|00|9|00|0|00|C|00|8|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*3\x003\x00D\x009\x00A\x007\x006\x002\x00-\x009\x000\x00C\x008\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8048 WEB-ACTIVEX WaveIn Class Manager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E0F158E1-CB04-11D0-BD4E-00A0C911CE86"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E0F158E1-CB04-11D0-BD4E-00A0C911CE86/si"; metadata:policy security-ips drop; classtype:attempted-user; 8049 WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|0|00|F|00|1|00|5|00|8|00|E|00|1|00|-|00|C|00|B|00|0|00|4|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|D|00|4|00|E|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|1|00|1|00|C|00|E|00|8|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x000\x00F\x001\x005\x008\x00E\x001\x00-\x00C\x00B\x000\x004\x00-\x001\x001\x00D\x000\x00-\x00B\x00D\x004\x00E\x00-\x000\x000\x00A\x000\x00C\x009\x001\x001\x00C\x00E\x008\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8050 WEB-ACTIVEX WaveOut and DSound Class Manager ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D2D588B5-D081-11D0-99E0-00C04FC2F8EC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D2D588B5-D081-11D0-99E0-00C04FC2F8EC/si"; metadata:policy security-ips drop; classtype:attempted-user; 8051 WEB-ACTIVEX WDM Instance Provider ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|2|00|D|00|5|00|8|00|8|00|B|00|5|00|-|00|D|00|0|00|8|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|9|00|E|00|0|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|8|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x002\x00D\x005\x008\x008\x00B\x005\x00-\x00D\x000\x008\x001\x00-\x001\x001\x00D\x000\x00-\x009\x009\x00E\x000\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x008\x00E\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8052 WEB-ACTIVEX WDM Instance Provider ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 19738 attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 8053 WEB-ACTIVEX DirectAnimation.PathControl ActiveX CLSID access 19738 attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|7|00|A|00|7|00|D|00|7|00|C|00|3|00|-|00|D|00|4|00|7|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x007\x00A\x007\x00D\x007\x00C\x003\x00-\x00D\x004\x007\x00F\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x003\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 8054 WEB-ACTIVEX DirectAnimation.PathControl ActiveX CLSID unicode access 19738 attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.PathControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.PathControl\x22|\x27DirectAnimation.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.PathControl\x22|\x27DirectAnimation.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 8055 WEB-ACTIVEX DirectAnimation.PathControl ActiveX function call access 10514 attempted-user 2004-0549 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|0|00|0|00|5|00|6|00|6|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|1|00|0|00|-|00|8|00|0|00|0|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|6|00|D|00|2|00|E|00|A|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x000\x000\x005\x006\x006\x00-\x000\x000\x000\x000\x00-\x000\x000\x001\x000\x00-\x008\x000\x000\x000\x00-\x000\x000\x00A\x00A\x000\x000\x006\x00D\x002\x00E\x00A\x004\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8062 WEB-ACTIVEX ADODB.Stream ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms04-025.mspx 10514 attempted-user 2004-0549 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ADODB.Stream"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ADODB.Stream\x22|\x27ADODB.Stream\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ADODB.Stream\x22|\x27ADODB.Stream\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8063 WEB-ACTIVEX ADODB.Stream ActiveX function call access www.microsoft.com/technet/security/bulletin/ms04-025.mspx 598 attempted-user 2000-1061 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"06290BD5-48AA-11D2-8432-006008C3FBFC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06290BD5-48AA-11D2-8432-006008C3FBFC/si"; metadata:policy security-ips drop; classtype:attempted-user; 8064 WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS00-075.mspx 598 attempted-user 2000-1061 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|6|00|2|00|9|00|0|00|B|00|D|00|5|00|-|00|4|00|8|00|A|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|4|00|3|00|2|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|C|00|3|00|F|00|B|00|F|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x002\x009\x000\x00B\x00D\x005\x00-\x004\x008\x00A\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x004\x003\x002\x00-\x000\x000\x006\x000\x000\x008\x00C\x003\x00F\x00B\x00F\x00C\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8065 WEB-ACTIVEX Scriptlet.Typelib ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS00-075.mspx 8456 attempted-user 2003-0532 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F935DC22-1CF0-11D0-ADB9-00C04FD58A0B/si"; metadata:policy security-ips drop; classtype:attempted-user; 8066 WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS99-032.mspx 8456 attempted-user 2003-0532 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|9|00|3|00|5|00|D|00|C|00|2|00|2|00|-|00|1|00|C|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|D|00|B|00|9|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|5|00|8|00|A|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x009\x003\x005\x00D\x00C\x002\x002\x00-\x001\x00C\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x00D\x00B\x009\x00-\x000\x000\x00C\x000\x004\x00F\x00D\x005\x008\x00A\x000\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8067 WEB-ACTIVEX Windows Scripting Host Shell ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS99-032.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"wscript.shell"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22wscript.shell\x22|\x27wscript.shell\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22wscript.shell\x22|\x27wscript.shell\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 8068 WEB-ACTIVEX Windows Scripting Host Shell ActiveX function call access 1754 attempted-user 2000-1061 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0D43FE01-F093-11CF-8940-00A0C9054228"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0D43FE01-F093-11CF-8940-00A0C9054228/si"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 8069 WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms00-075.mspx 1754 attempted-user 2000-1061 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|D|00|4|00|3|00|F|00|E|00|0|00|1|00|-|00|F|00|0|00|9|00|3|00|-|00|1|00|1|00|C|00|F|00|-|00|8|00|9|00|4|00|0|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|4|00|2|00|2|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x00D\x004\x003\x00F\x00E\x000\x001\x00-\x00F\x000\x009\x003\x00-\x001\x001\x00C\x00F\x00-\x008\x009\x004\x000\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x004\x002\x002\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8070 WEB-ACTIVEX Microsoft Virtual Machine ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms00-075.mspx 16636 attempted-admin 2006-0013 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:C8CB7687-E6D3-11D2-A958-00C04F682E16; dce_opnum:0; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 8253 NETBIOS DCERPC NCACN-IP-TCP webdav DavrCreateConnection username overflow attempt www.microsoft.com/technet/security/bulletin/MS06-008.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AB9BCEDD-EC7E-47E1-9322-D4A210617116/si"; metadata:policy security-ips drop; classtype:attempted-user; 8363 WEB-ACTIVEX Business Object Factory ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|B|00|9|00|B|00|C|00|E|00|D|00|D|00|-|00|E|00|C|00|7|00|E|00|-|00|4|00|7|00|E|00|1|00|-|00|9|00|3|00|2|00|2|00|-|00|D|00|4|00|A|00|2|00|1|00|0|00|6|00|1|00|7|00|1|00|1|00|6|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00B\x009\x00B\x00C\x00E\x00D\x00D\x00-\x00E\x00C\x007\x00E\x00-\x004\x007\x00E\x001\x00-\x009\x003\x002\x002\x00-\x00D\x004\x00A\x002\x001\x000\x006\x001\x007\x001\x001\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8364 WEB-ACTIVEX Business Object Factory ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"639F725F-1B2D-4831-A9FD-874847682010"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*639F725F-1B2D-4831-A9FD-874847682010/si"; metadata:policy security-ips drop; classtype:attempted-user; 8365 WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|3|00|9|00|F|00|7|00|2|00|5|00|F|00|-|00|1|00|B|00|2|00|D|00|-|00|4|00|8|00|3|00|1|00|-|00|A|00|9|00|F|00|D|00|-|00|8|00|7|00|4|00|8|00|4|00|7|00|6|00|8|00|2|00|0|00|1|00|0|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x009\x00F\x007\x002\x005\x00F\x00-\x001\x00B\x002\x00D\x00-\x004\x008\x003\x001\x00-\x00A\x009\x00F\x00D\x00-\x008\x007\x004\x008\x004\x007\x006\x008\x002\x000\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8366 WEB-ACTIVEX DExplore.AppObj.8.0 ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D0C07D56-7C69-43F1-B4A0-25F5A11FAB19/si"; metadata:policy security-ips drop; classtype:attempted-user; 8367 WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|0|00|C|00|0|00|7|00|D|00|5|00|6|00|-|00|7|00|C|00|6|00|9|00|-|00|4|00|3|00|F|00|1|00|-|00|B|00|4|00|A|00|0|00|-|00|2|00|5|00|F|00|5|00|A|00|1|00|1|00|F|00|A|00|B|00|1|00|9|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x000\x00C\x000\x007\x00D\x005\x006\x00-\x007\x00C\x006\x009\x00-\x004\x003\x00F\x001\x00-\x00B\x004\x00A\x000\x00-\x002\x005\x00F\x005\x00A\x001\x001\x00F\x00A\x00B\x001\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8368 WEB-ACTIVEX Microsoft.DbgClr.DTE.8.0 ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user 2006-4704 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F5B7F63-F06F-4331-8A26-339E03C0AE3D/si"; metadata:policy security-ips drop; classtype:attempted-user; 8369 WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms06-073.mspx attempted-user 2006-4704 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|F|00|5|00|B|00|7|00|F|00|6|00|3|00|-|00|F|00|0|00|6|00|F|00|-|00|4|00|3|00|3|00|1|00|-|00|8|00|A|00|2|00|6|00|-|00|3|00|3|00|9|00|E|00|0|00|3|00|C|00|0|00|A|00|E|00|3|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x00F\x005\x00B\x007\x00F\x006\x003\x00-\x00F\x000\x006\x00F\x00-\x004\x003\x003\x001\x00-\x008\x00A\x002\x006\x00-\x003\x003\x009\x00E\x000\x003\x00C\x000\x00A\x00E\x003\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8370 WEB-ACTIVEX WMIScriptUtils.WMIObjectBroker2.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms06-073.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*06723E09-F4C2-43c8-8358-09FCD1DB0766/si"; metadata:policy security-ips drop; classtype:attempted-user; 8373 WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|6|00|7|00|2|00|3|00|E|00|0|00|9|00|-|00|F|00|4|00|C|00|2|00|-|00|4|00|3|00|c|00|8|00|-|00|8|00|3|00|5|00|8|00|-|00|0|00|9|00|F|00|C|00|D|00|1|00|D|00|B|00|0|00|7|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x006\x007\x002\x003\x00E\x000\x009\x00-\x00F\x004\x00C\x002\x00-\x004\x003\x00c\x008\x00-\x008\x003\x005\x008\x00-\x000\x009\x00F\x00C\x00D\x001\x00D\x00B\x000\x007\x006\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8374 WEB-ACTIVEX VsmIDE.DTE ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"18C628EE-962A-11D2-8D08-00A0C9441E20"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18C628EE-962A-11D2-8D08-00A0C9441E20/si"; metadata:policy security-ips drop; classtype:attempted-user; 8379 WEB-ACTIVEX Xml2Dex ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|C|00|6|00|2|00|8|00|E|00|E|00|-|00|9|00|6|00|2|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|D|00|0|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|4|00|1|00|E|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*1\x008\x00C\x006\x002\x008\x00E\x00E\x00-\x009\x006\x002\x00A\x00-\x001\x001\x00D\x002\x00-\x008\x00D\x000\x008\x00-\x000\x000\x00A\x000\x00C\x009\x004\x004\x001\x00E\x002\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8380 WEB-ACTIVEX Xml2Dex ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"47F59200-8783-11D2-8343-00A0C945A819"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*47F59200-8783-11D2-8343-00A0C945A819/si"; metadata:policy security-ips drop; classtype:attempted-user; 8391 WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|7|00|F|00|5|00|9|00|2|00|0|00|0|00|-|00|8|00|7|00|8|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|3|00|4|00|3|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|4|00|5|00|A|00|8|00|1|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x007\x00F\x005\x009\x002\x000\x000\x00-\x008\x007\x008\x003\x00-\x001\x001\x00D\x002\x00-\x008\x003\x004\x003\x00-\x000\x000\x00A\x000\x00C\x009\x004\x005\x00A\x008\x001\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8392 WEB-ACTIVEX RFXInstMgr Class ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"61C669C7-EDDD-4277-BF5E-64807CB8DCEF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*61C669C7-EDDD-4277-BF5E-64807CB8DCEF/si"; metadata:policy security-ips drop; classtype:attempted-user; 8393 WEB-ACTIVEX WebDetectFrm ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|1|00|C|00|6|00|6|00|9|00|C|00|7|00|-|00|E|00|D|00|D|00|D|00|-|00|4|00|2|00|7|00|7|00|-|00|B|00|F|00|5|00|E|00|-|00|6|00|4|00|8|00|0|00|7|00|C|00|B|00|8|00|D|00|C|00|E|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x001\x00C\x006\x006\x009\x00C\x007\x00-\x00E\x00D\x00D\x00D\x00-\x004\x002\x007\x007\x00-\x00B\x00F\x005\x00E\x00-\x006\x004\x008\x000\x007\x00C\x00B\x008\x00D\x00C\x00E\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8394 WEB-ACTIVEX WebDetectFrm ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"63500AE2-0858-11D2-8CE4-00C04F8ECB10"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63500AE2-0858-11D2-8CE4-00C04F8ECB10/si"; metadata:policy security-ips drop; classtype:attempted-user; 8395 WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|3|00|5|00|0|00|0|00|A|00|E|00|2|00|-|00|0|00|8|00|5|00|8|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|C|00|E|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|8|00|E|00|C|00|B|00|1|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x003\x005\x000\x000\x00A\x00E\x002\x00-\x000\x008\x005\x008\x00-\x001\x001\x00D\x002\x00-\x008\x00C\x00E\x004\x00-\x000\x000\x00C\x000\x004\x00F\x008\x00E\x00C\x00B\x001\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8396 WEB-ACTIVEX DX3DTransform.Microsoft.CrShatter ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"742D385A-D5BF-427D-9AF2-88258FB73EAF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*742D385A-D5BF-427D-9AF2-88258FB73EAF/si"; metadata:policy security-ips drop; classtype:attempted-user; 8399 WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|4|00|2|00|D|00|3|00|8|00|5|00|A|00|-|00|D|00|5|00|B|00|F|00|-|00|4|00|2|00|7|00|D|00|-|00|9|00|A|00|F|00|2|00|-|00|8|00|8|00|2|00|5|00|8|00|F|00|B|00|7|00|3|00|E|00|A|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x004\x002\x00D\x003\x008\x005\x00A\x00-\x00D\x005\x00B\x00F\x00-\x004\x002\x007\x00D\x00-\x009\x00A\x00F\x002\x00-\x008\x008\x002\x005\x008\x00F\x00B\x007\x003\x00E\x00A\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8400 WEB-ACTIVEX Microsoft.WebCapture ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"88D96A07-F192-11D4-A65F-0040963251E5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*88D96A07-F192-11D4-A65F-0040963251E5/si"; metadata:policy security-ips drop; classtype:attempted-user; 8403 WEB-ACTIVEX XML Schema Cache 6.0 ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|8|00|D|00|9|00|6|00|A|00|0|00|7|00|-|00|F|00|1|00|9|00|2|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|6|00|5|00|F|00|-|00|0|00|0|00|4|00|0|00|9|00|6|00|3|00|2|00|5|00|1|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x008\x00D\x009\x006\x00A\x000\x007\x00-\x00F\x001\x009\x002\x00-\x001\x001\x00D\x004\x00-\x00A\x006\x005\x00F\x00-\x000\x000\x004\x000\x009\x006\x003\x002\x005\x001\x00E\x005\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8404 WEB-ACTIVEX XML Schema Cache 6.0 ActiveX CLSID unicode access 20915 attempted-user 2006-5745 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"88D96A0A-F192-11D4-A65F-0040963251E5"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*88D96A0A-F192-11D4-A65F-0040963251E5\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8405 WEB-ACTIVEX ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms06-071.mspx 20915 attempted-user 2006-5745 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|8|00|D|00|9|00|6|00|A|00|0|00|A|00|-|00|F|00|1|00|9|00|2|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|6|00|5|00|F|00|-|00|0|00|0|00|4|00|0|00|9|00|6|00|3|00|2|00|5|00|1|00|E|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8406 WEB-ACTIVEX ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms06-071.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"99EA8527-6A6A-40FE-A67C-82CF763902D0"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*99EA8527-6A6A-40FE-A67C-82CF763902D0/si"; metadata:policy security-ips drop; classtype:attempted-user; 8407 WEB-ACTIVEX VisualExec Control ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|9|00|E|00|A|00|8|00|5|00|2|00|7|00|-|00|6|00|A|00|6|00|A|00|-|00|4|00|0|00|F|00|E|00|-|00|A|00|6|00|7|00|C|00|-|00|8|00|2|00|C|00|F|00|7|00|6|00|3|00|9|00|0|00|2|00|D|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x009\x00E\x00A\x008\x005\x002\x007\x00-\x006\x00A\x006\x00A\x00-\x004\x000\x00F\x00E\x00-\x00A\x006\x007\x00C\x00-\x008\x002\x00C\x00F\x007\x006\x003\x009\x000\x002\x00D\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8408 WEB-ACTIVEX VisualExec Control ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B005E690-678D-11D1-B758-00A0C90564FE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B005E690-678D-11D1-B758-00A0C90564FE/si"; metadata:policy security-ips drop; classtype:attempted-user; 8411 WEB-ACTIVEX DocFind Command ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|0|00|0|00|5|00|E|00|6|00|9|00|0|00|-|00|6|00|7|00|8|00|D|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|7|00|5|00|8|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|5|00|6|00|4|00|F|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x000\x005\x00E\x006\x009\x000\x00-\x006\x007\x008\x00D\x00-\x001\x001\x00D\x001\x00-\x00B\x007\x005\x008\x00-\x000\x000\x00A\x000\x00C\x009\x000\x005\x006\x004\x00F\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8412 WEB-ACTIVEX DocFind Command ActiveX CLSID unicode access 18946 attempted-user 2006-3591 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TriEditDocument.TriEditDocument"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22TriEditDocument.TriEditDocument\x22|\x27TriEditDocument.TriEditDocument\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TriEditDocument.TriEditDocument\x22|\x27TriEditDocument.TriEditDocument\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8417 WEB-ACTIVEX TriEditDocument.TriEditDocument ActiveX function call access osvdb.org/27056 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.RevealTrans.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.RevealTrans.1\x22|\x27DXImageTransform.Microsoft.RevealTrans.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.RevealTrans.1\x22|\x27DXImageTransform.Microsoft.RevealTrans.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8418 WEB-ACTIVEX DXImageTransform.Microsoft.RevealTrans ActiveX function call access osvdb.org/27057 19030 attempted-user 2006-3730 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WebViewFolderIcon.WebViewFolderIcon.1"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 8419 WEB-ACTIVEX WebViewFolderIcon.WebViewFolderIcon.1 ActiveX function call www.microsoft.com/technet/security/bulletin/ms06-057.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.Gradient.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.Gradient.1\x22|\x27DXImageTransform.Microsoft.Gradient.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.Gradient.1\x22|\x27DXImageTransform.Microsoft.Gradient.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 8420 WEB-ACTIVEX DXImageTransform.Microsoft.Gradient ActiveX function call access osvdb.org/27109 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OWC11.DataSourceControl.11"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22OWC11.DataSourceControl.11\x22|\x27OWC11.DataSourceControl.11\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22OWC11.DataSourceControl.11\x22|\x27OWC11.DataSourceControl.11\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 8421 WEB-ACTIVEX OWC11.DataSourceControl.11 ActiveX function call access osvdb.org/27111 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CEnroll.CEnroll.2"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22CEnroll.CEnroll.2\x22|\x27CEnroll.CEnroll.2\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CEnroll.CEnroll.2\x22|\x27CEnroll.CEnroll.2\x27)\s*\)/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 8423 WEB-ACTIVEX CEnroll.CEnroll.2 ActiveX function call access osvdb.org/27230 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Forms.ListBox.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Forms.ListBox.1\x22|\x27Forms.ListBox.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Forms.ListBox.1\x22|\x27Forms.ListBox.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 8424 WEB-ACTIVEX Microsoft Forms 2.0 ListBox ActiveX function call access osvdb.org/27372 19340 attempted-user 2006-3638 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.NDFXArtEffects.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DXImageTransform.Microsoft.NDFXArtEffects.1\x22|\x27DXImageTransform.Microsoft.NDFXArtEffects.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DXImageTransform.Microsoft.NDFXArtEffects.1\x22|\x27DXImageTransform.Microsoft.NDFXArtEffects.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8425 WEB-ACTIVEX DXImageTransform.Microsoft.NDFXArtEffects ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS06-042.mspx misc-activity 2006-0001 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"CHNKINK "; metadata:policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 8478 WEB-CLIENT Microsoft Publisher file download attempt www.microsoft.com/technet/security/bulletin/ms06-054.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8CCCDDF-CA28-496b-B050-6C07C962476B/si"; metadata:policy security-ips drop; classtype:attempted-user; 8717 WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|8|00|C|00|C|00|C|00|D|00|D|00|F|00|-|00|C|00|A|00|2|00|8|00|-|00|4|00|9|00|6|00|b|00|-|00|B|00|0|00|5|00|0|00|-|00|6|00|C|00|0|00|7|00|C|00|9|00|6|00|2|00|4|00|7|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*E\x008\x00C\x00C\x00C\x00D\x00D\x00F\x00-\x00C\x00A\x002\x008\x00-\x004\x009\x006\x00b\x00-\x00B\x000\x005\x000\x00-\x006\x00C\x000\x007\x00C\x009\x006\x002\x004\x007\x006\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8718 WEB-ACTIVEX VsaIDE.DTE ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BA018599-1DB3-44f9-83B4-461454C84BF8/si"; metadata:policy security-ips drop; classtype:attempted-user; 8719 WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|A|00|0|00|1|00|8|00|5|00|9|00|9|00|-|00|1|00|D|00|B|00|3|00|-|00|4|00|4|00|f|00|9|00|-|00|8|00|3|00|B|00|4|00|-|00|4|00|6|00|1|00|4|00|5|00|4|00|C|00|8|00|4|00|B|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00A\x000\x001\x008\x005\x009\x009\x00-\x001\x00D\x00B\x003\x00-\x004\x004\x00f\x009\x00-\x008\x003\x00B\x004\x00-\x004\x006\x001\x004\x005\x004\x00C\x008\x004\x00B\x00F\x008\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8720 WEB-ACTIVEX VisualStudio.DTE.8.0 ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm 1899 attempted-user 2000-1034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C4D2D8E0-D1DD-11CE-940F-008029004347"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C4D2D8E0-D1DD-11CE-940F-008029004347/si"; metadata:policy security-ips drop; classtype:attempted-user; 8725 WEB-ACTIVEX System Monitor ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS00-085.mspx 1899 attempted-user 2000-1034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|D|00|2|00|D|00|8|00|E|00|0|00|-|00|D|00|1|00|D|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|9|00|4|00|0|00|F|00|-|00|0|00|0|00|8|00|0|00|2|00|9|00|0|00|0|00|4|00|3|00|4|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x00D\x002\x00D\x008\x00E\x000\x00-\x00D\x001\x00D\x00D\x00-\x001\x001\x00C\x00E\x00-\x009\x004\x000\x00F\x00-\x000\x000\x008\x000\x002\x009\x000\x000\x004\x003\x004\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8726 WEB-ACTIVEX System Monitor ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS00-085.mspx 20915 attempted-user 2006-5745 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"88d969c5-f192-11d4-a65f-0040963251e5"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*88d969c5-f192-11d4-a65f-0040963251e5\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8727 WEB-ACTIVEX XMLHTTP 4.0 ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms06-071.mspx 20915 attempted-user 2006-5745 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|8|00|d|00|9|00|6|00|9|00|c|00|5|00|-|00|f|00|1|00|9|00|2|00|-|00|1|00|1|00|d|00|4|00|-|00|a|00|6|00|5|00|f|00|-|00|0|00|0|00|4|00|0|00|9|00|6|00|3|00|2|00|5|00|1|00|e|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8728 WEB-ACTIVEX XMLHTTP 4.0 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms06-071.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"85A4A99C-8C3D-499E-A386-E0743DFF8FB7"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*85A4A99C-8C3D-499E-A386-E0743DFF8FB7/si"; metadata:policy security-ips drop; classtype:attempted-user; 8735 WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|5|00|A|00|4|00|A|00|9|00|9|00|C|00|-|00|8|00|C|00|3|00|D|00|-|00|4|00|9|00|9|00|E|00|-|00|A|00|3|00|8|00|6|00|-|00|E|00|0|00|7|00|4|00|3|00|D|00|F|00|F|00|8|00|F|00|B|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*8\x005\x00A\x004\x00A\x009\x009\x00C\x00-\x008\x00C\x003\x00D\x00-\x004\x009\x009\x00E\x00-\x00A\x003\x008\x006\x00-\x00E\x000\x007\x004\x003\x00D\x00F\x00F\x008\x00F\x00B\x007\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8736 WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX CLSID unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BOWebAgent.Webagent.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22BOWebAgent.Webagent.1\x22|\x27BOWebAgent.Webagent.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\(|.*\3\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BOWebAgent.Webagent.1\x22|\x27BOWebAgent.Webagent.1\x27)\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\(|.*\7\s*\.\s*(DownloadAndExecute|AddFileEx)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8737 WEB-ACTIVEX BOWebAgent.Webagent.1 ActiveX function call access attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"25B0F91C-D23D-11D0-9B85-00C04FC2F51D"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*25B0F91C-D23D-11D0-9B85-00C04FC2F51D/si"; metadata:policy security-ips drop; classtype:attempted-user; 8741 WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|5|00|B|00|0|00|F|00|9|00|1|00|C|00|-|00|D|00|2|00|3|00|D|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|B|00|8|00|5|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|F|00|5|00|1|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x005\x00B\x000\x00F\x009\x001\x00C\x00-\x00D\x002\x003\x00D\x00-\x001\x001\x00D\x000\x00-\x009\x00B\x008\x005\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00F\x005\x001\x00D\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8742 WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAFontStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAFontStyle.1\x22|\x27DirectAnimation.DAFontStyle.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAFontStyle.1\x22|\x27DirectAnimation.DAFontStyle.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8743 WEB-ACTIVEX DirectAnimation.DAFontStyle.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"50B4791F-4731-11D0-8912-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*50B4791F-4731-11D0-8912-00C04FC2A0CA/si"; metadata:policy security-ips drop; classtype:attempted-user; 8744 WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|0|00|B|00|4|00|7|00|9|00|1|00|F|00|-|00|4|00|7|00|3|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|2|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*5\x000\x00B\x004\x007\x009\x001\x00F\x00-\x004\x007\x003\x001\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x002\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8745 WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAEvent.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAEvent.1\x22|\x27DirectAnimation.DAEvent.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAEvent.1\x22|\x27DirectAnimation.DAEvent.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8746 WEB-ACTIVEX DirectAnimation.DAEvent.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BEC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8747 WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8748 WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAEndStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAEndStyle.1\x22|\x27DirectAnimation.DAEndStyle.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAEndStyle.1\x22|\x27DirectAnimation.DAEndStyle.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8749 WEB-ACTIVEX DirectAnimation.DAEndStyle.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B1549E58-3894-11D2-BB7F-00A0C999C4C1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1549E58-3894-11D2-BB7F-00A0C999C4C1/si"; metadata:policy security-ips drop; classtype:attempted-user; 8750 WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|1|00|5|00|4|00|9|00|E|00|5|00|8|00|-|00|3|00|8|00|9|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|B|00|7|00|F|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|9|00|9|00|C|00|4|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x001\x005\x004\x009\x00E\x005\x008\x00-\x003\x008\x009\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00B\x007\x00F\x00-\x000\x000\x00A\x000\x00C\x009\x009\x009\x00C\x004\x00C\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8751 WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LM.LMBehaviorFactory.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22LM.LMBehaviorFactory.1\x22|\x27LM.LMBehaviorFactory.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22LM.LMBehaviorFactory.1\x22|\x27LM.LMBehaviorFactory.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8752 WEB-ACTIVEX LM.LMBehaviorFactory.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BB339A46-7C49-11d2-9BF3-00C04FA34789"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB339A46-7C49-11d2-9BF3-00C04FA34789/si"; metadata:policy security-ips drop; classtype:attempted-user; 8753 WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|B|00|3|00|3|00|9|00|A|00|4|00|6|00|-|00|7|00|C|00|4|00|9|00|-|00|1|00|1|00|d|00|2|00|-|00|9|00|B|00|F|00|3|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|A|00|3|00|4|00|7|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x00B\x003\x003\x009\x00A\x004\x006\x00-\x007\x00C\x004\x009\x00-\x001\x001\x00d\x002\x00-\x009\x00B\x00F\x003\x00-\x000\x000\x00C\x000\x004\x00F\x00A\x003\x004\x007\x008\x009\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8754 WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LM.AutoEffectBvr.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22LM.AutoEffectBvr.1\x22|\x27LM.AutoEffectBvr.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22LM.AutoEffectBvr.1\x22|\x27LM.AutoEffectBvr.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8755 WEB-ACTIVEX LM.AutoEffectBvr.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FD179533-D86E-11D0-89D6-00A0C90833E6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FD179533-D86E-11D0-89D6-00A0C90833E6/si"; metadata:policy security-ips drop; classtype:attempted-user; 8756 WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|D|00|1|00|7|00|9|00|5|00|3|00|3|00|-|00|D|00|8|00|6|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|D|00|6|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|3|00|3|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*F\x00D\x001\x007\x009\x005\x003\x003\x00-\x00D\x008\x006\x00E\x00-\x001\x001\x00D\x000\x00-\x008\x009\x00D\x006\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x003\x003\x00E\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8757 WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.SpriteControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.SpriteControl\x22|\x27DirectAnimation.SpriteControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.SpriteControl\x22|\x27DirectAnimation.SpriteControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8758 WEB-ACTIVEX DirectAnimation.SpriteControl ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B0A6BAE2-AAF0-11D0-A152-00A0C908DB96"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0A6BAE2-AAF0-11D0-A152-00A0C908DB96/si"; metadata:policy security-ips drop; classtype:attempted-user; 8759 WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|0|00|A|00|6|00|B|00|A|00|E|00|2|00|-|00|A|00|A|00|F|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|1|00|5|00|2|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|8|00|D|00|B|00|9|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x000\x00A\x006\x00B\x00A\x00E\x002\x00-\x00A\x00A\x00F\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x001\x005\x002\x00-\x000\x000\x00A\x000\x00C\x009\x000\x008\x00D\x00B\x009\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8760 WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.SequencerControl"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.SequencerControl\x22|\x27DirectAnimation.SequencerControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.SequencerControl\x22|\x27DirectAnimation.SequencerControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8761 WEB-ACTIVEX DirectAnimation.SequencerControl ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4F241DB1-EE9F-11D0-9824-006097C99E51"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F241DB1-EE9F-11D0-9824-006097C99E51/si"; metadata:policy security-ips drop; classtype:attempted-user; 8762 WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|F|00|2|00|4|00|1|00|D|00|B|00|1|00|-|00|E|00|E|00|9|00|F|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|2|00|4|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|C|00|9|00|9|00|E|00|5|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*4\x00F\x002\x004\x001\x00D\x00B\x001\x00-\x00E\x00E\x009\x00F\x00-\x001\x001\x00D\x000\x00-\x009\x008\x002\x004\x00-\x000\x000\x006\x000\x009\x007\x00C\x009\x009\x00E\x005\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8763 WEB-ACTIVEX DirectAnimation.Sequence ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.Sequence"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.Sequence\x22|\x27DirectAnimation.Sequence\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.Sequence\x22|\x27DirectAnimation.Sequence\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8764 WEB-ACTIVEX DirectAnimation.Sequence ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"283807B5-2C60-11D0-A31D-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*283807B5-2C60-11D0-A31D-00AA00B92C03/si"; metadata:policy security-ips drop; classtype:attempted-user; 8765 WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|8|00|3|00|8|00|0|00|7|00|B|00|5|00|-|00|2|00|C|00|6|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|1|00|D|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*2\x008\x003\x008\x000\x007\x00B\x005\x00-\x002\x00C\x006\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x001\x00D\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8766 WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAView.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAView.1\x22|\x27DirectAnimation.DAView.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAView.1\x22|\x27DirectAnimation.DAView.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8767 WEB-ACTIVEX DirectAnimation.DAView.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BDA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8768 WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8769 WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAVector3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAVector3.1\x22|\x27DirectAnimation.DAVector3.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAVector3.1\x22|\x27DirectAnimation.DAVector3.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8770 WEB-ACTIVEX DirectAnimation.DAVector3.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BCA-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCA-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8771 WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|A|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00A\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8772 WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAVector2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAVector2.1\x22|\x27DirectAnimation.DAVector2.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAVector2.1\x22|\x27DirectAnimation.DAVector2.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8773 WEB-ACTIVEX DirectAnimation.DAVector2.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AF868304-AB0B-11D0-876A-00C04FC29D46"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AF868304-AB0B-11D0-876A-00C04FC29D46/si"; metadata:policy security-ips drop; classtype:attempted-user; 8774 WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|8|00|6|00|8|00|3|00|0|00|4|00|-|00|A|00|B|00|0|00|B|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|7|00|6|00|A|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|9|00|D|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*A\x00F\x008\x006\x008\x003\x000\x004\x00-\x00A\x00B\x000\x00B\x00-\x001\x001\x00D\x000\x00-\x008\x007\x006\x00A\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x009\x00D\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8775 WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAUserData.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAUserData.1\x22|\x27DirectAnimation.DAUserData.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAUserData.1\x22|\x27DirectAnimation.DAUserData.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8776 WEB-ACTIVEX DirectAnimation.DAUserData.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BDC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8777 WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8778 WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DATransform3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DATransform3.1\x22|\x27DirectAnimation.DATransform3.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DATransform3.1\x22|\x27DirectAnimation.DATransform3.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8779 WEB-ACTIVEX DirectAnimation.DATransform3.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BCC-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCC-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8780 WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|C|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00C\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8781 WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DATransform2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DATransform2.1\x22|\x27DirectAnimation.DATransform2.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DATransform2.1\x22|\x27DirectAnimation.DATransform2.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8782 WEB-ACTIVEX DirectAnimation.DATransform2.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BC4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8783 WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8784 WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAString.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAString.1\x22|\x27DirectAnimation.DAString.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAString.1\x22|\x27DirectAnimation.DAString.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8785 WEB-ACTIVEX DirectAnimation.DAString.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BE4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8786 WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8787 WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DASound.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DASound.1\x22|\x27DirectAnimation.DASound.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DASound.1\x22|\x27DirectAnimation.DASound.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8788 WEB-ACTIVEX DirectAnimation.DASound.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BD8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8789 WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8790 WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAPoint3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAPoint3.1\x22|\x27DirectAnimation.DAPoint3.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAPoint3.1\x22|\x27DirectAnimation.DAPoint3.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8791 WEB-ACTIVEX DirectAnimation.DAPoint3.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BC8-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC8-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8792 WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|8|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x008\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8793 WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAPoint2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAPoint2.1\x22|\x27DirectAnimation.DAPoint2.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAPoint2.1\x22|\x27DirectAnimation.DAPoint2.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8794 WEB-ACTIVEX DirectAnimation.DAPoint2.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BD0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8795 WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8796 WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAPath2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAPath2.1\x22|\x27DirectAnimation.DAPath2.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAPath2.1\x22|\x27DirectAnimation.DAPath2.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8797 WEB-ACTIVEX DirectAnimation.DAPath2.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BF4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8798 WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8799 WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAPair.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAPair.1\x22|\x27DirectAnimation.DAPair.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAPair.1\x22|\x27DirectAnimation.DAPair.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8800 WEB-ACTIVEX DirectAnimation.DAPair.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9CDE7341-3C20-11D0-A330-00AA00B92C03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CDE7341-3C20-11D0-A330-00AA00B92C03/si"; metadata:policy security-ips drop; classtype:attempted-user; 8801 WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|C|00|D|00|E|00|7|00|3|00|4|00|1|00|-|00|3|00|C|00|2|00|0|00|-|00|1|00|1|00|D|00|0|00|-|00|A|00|3|00|3|00|0|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|9|00|2|00|C|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*9\x00C\x00D\x00E\x007\x003\x004\x001\x00-\x003\x00C\x002\x000\x00-\x001\x001\x00D\x000\x00-\x00A\x003\x003\x000\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x009\x002\x00C\x000\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8802 WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DANumber.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DANumber.1\x22|\x27DirectAnimation.DANumber.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DANumber.1\x22|\x27DirectAnimation.DANumber.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8803 WEB-ACTIVEX DirectAnimation.DANumber.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BD6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8804 WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8805 WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAMontage.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAMontage.1\x22|\x27DirectAnimation.DAMontage.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAMontage.1\x22|\x27DirectAnimation.DAMontage.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8806 WEB-ACTIVEX DirectAnimation.DAMontage.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BE6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8807 WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8808 WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAMicrophone.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAMicrophone.1\x22|\x27DirectAnimation.DAMicrophone.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAMicrophone.1\x22|\x27DirectAnimation.DAMicrophone.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8809 WEB-ACTIVEX DirectAnimation.DAMicrophone.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BD2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8810 WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8811 WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAMatte.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAMatte.1\x22|\x27DirectAnimation.DAMatte.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAMatte.1\x22|\x27DirectAnimation.DAMatte.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8812 WEB-ACTIVEX DirectAnimation.DAMatte.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BF2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8813 WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8814 WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DALineStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DALineStyle.1\x22|\x27DirectAnimation.DALineStyle.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DALineStyle.1\x22|\x27DirectAnimation.DALineStyle.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8815 WEB-ACTIVEX DirectAnimation.DALineStyle.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BEE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BEE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8816 WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8817 WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAJoinStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAJoinStyle.1\x22|\x27DirectAnimation.DAJoinStyle.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAJoinStyle.1\x22|\x27DirectAnimation.DAJoinStyle.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8818 WEB-ACTIVEX DirectAnimation.DAJoinStyle.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BD4-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BD4-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8819 WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|4|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x004\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8820 WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAImage.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAImage.1\x22|\x27DirectAnimation.DAImage.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAImage.1\x22|\x27DirectAnimation.DAImage.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8821 WEB-ACTIVEX DirectAnimation.DAImage.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BE0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8822 WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8823 WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAGeometry.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAGeometry.1\x22|\x27DirectAnimation.DAGeometry.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAGeometry.1\x22|\x27DirectAnimation.DAGeometry.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8824 WEB-ACTIVEX DirectAnimation.DAGeometry.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BF0-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BF0-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8825 WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|F|00|0|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00F\x000\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8826 WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DADashStyle.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DADashStyle.1\x22|\x27DirectAnimation.DADashStyle.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DADashStyle.1\x22|\x27DirectAnimation.DADashStyle.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8827 WEB-ACTIVEX DirectAnimation.DADashStyle.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BC6-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC6-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8828 WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|6|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x006\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8829 WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAColor.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAColor.1\x22|\x27DirectAnimation.DAColor.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAColor.1\x22|\x27DirectAnimation.DAColor.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8830 WEB-ACTIVEX DirectAnimation.DAColor.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BE2-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BE2-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8831 WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|E|00|2|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00E\x002\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8832 WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DACamera.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DACamera.1\x22|\x27DirectAnimation.DACamera.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DACamera.1\x22|\x27DirectAnimation.DACamera.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8833 WEB-ACTIVEX DirectAnimation.DACamera.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BC1-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BC1-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8834 WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|1|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x001\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8835 WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DABoolean.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DABoolean.1\x22|\x27DirectAnimation.DABoolean.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DABoolean.1\x22|\x27DirectAnimation.DABoolean.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8836 WEB-ACTIVEX DirectAnimation.DABoolean.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BDE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BDE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8837 WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|D|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00D\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8838 WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DABbox3.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DABbox3.1\x22|\x27DirectAnimation.DABbox3.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DABbox3.1\x22|\x27DirectAnimation.DABbox3.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8839 WEB-ACTIVEX DirectAnimation.DABbox3.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C46C1BCE-3C52-11D0-9200-848C1D000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C46C1BCE-3C52-11D0-9200-848C1D000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 8840 WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|4|00|6|00|C|00|1|00|B|00|C|00|E|00|-|00|3|00|C|00|5|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|2|00|0|00|0|00|-|00|8|00|4|00|8|00|C|00|1|00|D|00|0|00|0|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x004\x006\x00C\x001\x00B\x00C\x00E\x00-\x003\x00C\x005\x002\x00-\x001\x001\x00D\x000\x00-\x009\x002\x000\x000\x00-\x008\x004\x008\x00C\x001\x00D\x000\x000\x000\x000\x000\x000\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8841 WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DABbox2.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DABbox2.1\x22|\x27DirectAnimation.DABbox2.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DABbox2.1\x22|\x27DirectAnimation.DABbox2.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8842 WEB-ACTIVEX DirectAnimation.DABbox2.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D17506C3-6B26-11D0-8914-00C04FC2A0CA"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D17506C3-6B26-11D0-8914-00C04FC2A0CA/si"; metadata:policy security-ips drop; classtype:attempted-user; 8843 WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|1|00|7|00|5|00|0|00|6|00|C|00|3|00|-|00|6|00|B|00|2|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|9|00|1|00|4|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|C|00|2|00|A|00|0|00|C|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*D\x001\x007\x005\x000\x006\x00C\x003\x00-\x006\x00B\x002\x006\x00-\x001\x001\x00D\x000\x00-\x008\x009\x001\x004\x00-\x000\x000\x00C\x000\x004\x00F\x00C\x002\x00A\x000\x00C\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8844 WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2006-4777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectAnimation.DAArray.1"; fast_pattern:only; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation.DAArray.1\x22|\x27DirectAnimation.DAArray.1\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation.DAArray.1\x22|\x27DirectAnimation.DAArray.1\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8845 WEB-ACTIVEX DirectAnimation.DAArray.1 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS06-067.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D45FD31E-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31E-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8846 WEB-ACTIVEX Microsoft Agent Character Custom Proxy Class ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|E|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8847 WEB-ACTIVEX Microsoft Agent Character Custom Proxy Class ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D45FD31D-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31D-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8848 WEB-ACTIVEX Microsoft Agent Notify Sink Custom Proxy Class ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|D|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8849 WEB-ACTIVEX Microsoft Agent Notify Sink Custom Proxy Class ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4BAC124B-78C8-11D1-B9A8-00C04FD97575"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4BAC124B-78C8-11D1-B9A8-00C04FD97575\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8850 WEB-ACTIVEX Microsoft Agent Custom Proxy Class ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|B|00|A|00|C|00|1|00|2|00|4|00|B|00|-|00|7|00|8|00|C|00|8|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|9|00|A|00|8|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|9|00|7|00|5|00|7|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8851 WEB-ACTIVEX Microsoft Agent Custom Proxy Class ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D45FD31B-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Characters.Load)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Characters.Load))\s*\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 8852 WEB-ACTIVEX Microsoft Agent v2.0 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|B|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8853 WEB-ACTIVEX Microsoft Agent v2.0 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Agent.Control.2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Agent\.Control\.2\x22|\x27Agent\.Control\.2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Characters.Load\s*|.*(?P=v)\s*\.\s*Characters.Load\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Agent\.Control\.2\x22|\x27Agent\.Control\.2\x27)\s*\)(\s*\.\s*Characters.Load\s*|.*(?P=n)\s*\.\s*Characters.Load\s*)\s*\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8854 WEB-ACTIVEX Microsoft Agent v2.0 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|5|00|B|00|E|00|8|00|B|00|D|00|2|00|-|00|7|00|D|00|E|00|6|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|1|00|F|00|E|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|1|00|A|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8855 WEB-ACTIVEX Microsoft Agent v1.5 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-user 2007-1205 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Agent.Control.1"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Agent\.Control\.1\x22|\x27Agent\.Control\.1\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Agent\.Control\.1\x22|\x27Agent\.Control\.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8856 WEB-ACTIVEX Microsoft Agent v1.5 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS07-020.mspx attempted-admin 2006-4691 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:22; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; content:"|5C 00|"; distance:12; content:!"|00 00|"; within:256; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 9027 NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrJoinDomain2 overflow attempt 11921 www.microsoft.com/technet/security/Bulletin/MS06-070.mspx 21108 attempted-user 2006-5198 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A09AE68F-B14D-43ED-B713-BA413F034904\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9129 WEB-ACTIVEX WinZip FileView 6.1 ActiveX clsid access www.winzip.com/wz7245.htm 21108 attempted-user 2006-5198 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|0|00|9|00|A|00|E|00|6|00|8|00|F|00|-|00|B|00|1|00|4|00|D|00|-|00|4|00|3|00|E|00|D|00|-|00|B|00|7|00|1|00|3|00|-|00|B|00|A|00|4|00|1|00|3|00|F|00|0|00|3|00|4|00|9|00|0|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x000\x009\x00A\x00E\x006\x008\x00F\x00-\x00B\x001\x004\x00D\x00-\x004\x003\x00E\x00D\x00-\x00B\x007\x001\x003\x00-\x00B\x00A\x004\x001\x003\x00F\x000\x003\x004\x009\x000\x004\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9130 WEB-ACTIVEX WinZip FileView 6.1 ActiveX clsid unicode access www.winzip.com/wz7245.htm 21108 attempted-user 2006-5198 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WZFILEVIEW.FileViewCtrl.61"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x22|\x27WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x22|\x27WZFILEVIEW\.FileViewCtrl\.61(\.\d)?\x27)\s*\)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9131 WEB-ACTIVEX WinZip FileView 6.1 ActiveX function call access www.winzip.com/wz7245.htm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D9998BD0-7957-11D2-8FED-00606730D3AA"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D9998BD0-7957-11D2-8FED-00606730D3AA\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 9427 WEB-ACTIVEX Acer LunchApp.APlunch ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-027.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|9|00|9|00|9|00|8|00|B|00|D|00|0|00|-|00|7|00|9|00|5|00|7|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|F|00|E|00|D|00|-|00|0|00|0|00|6|00|0|00|6|00|7|00|3|00|0|00|D|00|3|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 9428 WEB-ACTIVEX Acer LunchApp.APlunch ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-027.mspx 21034 attempted-user 2006-3445 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|C2 AB CD AB|"; byte_test:4,<,500,0,relative,little; metadata:policy security-ips drop; classtype:attempted-user; 9433 WEB-CLIENT Microsoft Agent buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms06-068.mspx 21155 attempted-user 2006-6236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA8A9780-280D-11CF-A24D-444553540000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CA8A9780-280D-11CF-A24D-444553540000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(execCommand|LoadFile|src|setLayoutMode|setNamedDest|setPageMode))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9626 WEB-ACTIVEX AcroPDF.PDF ActiveX clsid access www.adobe.com/support/security/advisories/apsa06-02.html 21155 attempted-user 2006-6236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|A|00|8|00|A|00|9|00|7|00|8|00|0|00|-|00|2|00|8|00|0|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|2|00|4|00|D|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00A\x008\x00A\x009\x007\x008\x000\x00-\x002\x008\x000\x00D\x00-\x001\x001\x00C\x00F\x00-\x00A\x002\x004\x00D\x00-\x004\x004\x004\x005\x005\x003\x005\x004\x000\x000\x000\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9627 WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access www.adobe.com/support/security/advisories/apsa06-02.html 23246 attempted-user 2006-6334 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"238F6F83-B8B4-11cf-8771-00A024541EE3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*238F6F83-B8B4-11cf-8771-00A024541EE3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SendChannelData)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*238F6F83-B8B4-11cf-8771-00A024541EE3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SendChannelData))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9629 WEB-ACTIVEX Citrix.ICAClient ActiveX clsid access support.citrix.com/article/CTX111827 23246 attempted-user 2006-6334 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|3|00|8|00|F|00|6|00|F|00|8|00|3|00|-|00|B|00|8|00|B|00|4|00|-|00|1|00|1|00|c|00|f|00|-|00|8|00|7|00|7|00|1|00|-|00|0|00|0|00|A|00|0|00|2|00|4|00|5|00|4|00|1|00|E|00|E|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x003\x008\x00F\x006\x00F\x008\x003\x00-\x00B\x008\x00B\x004\x00-\x001\x001\x00c\x00f\x00-\x008\x007\x007\x001\x00-\x000\x000\x00A\x000\x002\x004\x005\x004\x001\x00E\x00E\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9630 WEB-ACTIVEX Citrix.ICAClient ActiveX clsid unicode access support.citrix.com/article/CTX111827 23246 attempted-user 2006-6334 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Citrix.ICAClient"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Citrix\.ICAClient(\.\d)?\x22|\x27Citrix\.ICAClient(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SendChannelData\s*|.*(?P=v)\s*\.\s*SendChannelData\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Citrix\.ICAClient(\.\d)?\x22|\x27Citrix\.ICAClient(\.\d)?\x27)\s*\)(\s*\.\s*SendChannelData\s*|.*(?P=n)\s*\.\s*SendChannelData\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 9631 WEB-ACTIVEX Citrix.ICAClient ActiveX function call access support.citrix.com/article/CTX111827 attempted-user 2006-5559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ADODB.Connection.2.7"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ADODB.Connection.2.7\x22|\x27ADODB.Connection.2.7\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(Execute)\s*\(|.*\3\s*\.\s*(Execute)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ADODB.Connection.2.7\x22|\x27ADODB.Connection.2.7\x27)\s*\)(\s*\.\s*(Execute)\s*\(|.*\7\s*\.\s*(Execute)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9640 WEB-ACTIVEX ADODB.Connection ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-009.mspx attempted-admin 2005-0059 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 9769 NETBIOS DCERPC NCACN-IP-TCP msqueue function 4 overflow attempt www.microsoft.com/technet/security/Bulletin/MS05-017.mspx 21607 attempted-user 2006-6603 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AA218328-0EA8-4D70-8972-E987A9190FF4"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*AA218328-0EA8-4D70-8972-E987A9190FF4\s*}?\4.*\3\.(TextETACalculating)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA218328-0EA8-4D70-8972-E987A9190FF4\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(TextETACalculating)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 9793 WEB-ACTIVEX YMMAPI.YMailAttach ActiveX clsid access messenger.yahoo.com/security_update.php?id=120806 21607 attempted-user 2006-6603 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|A|00|2|00|1|00|8|00|3|00|2|00|8|00|-|00|0|00|E|00|A|00|8|00|-|00|4|00|D|00|7|00|0|00|-|00|8|00|9|00|7|00|2|00|-|00|E|00|9|00|8|00|7|00|A|00|9|00|1|00|9|00|0|00|F|00|F|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x00A\x002\x001\x008\x003\x002\x008\x00-\x000\x00E\x00A\x008\x00-\x004\x00D\x007\x000\x00-\x008\x009\x007\x002\x00-\x00E\x009\x008\x007\x00A\x009\x001\x009\x000\x00F\x00F\x004\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9794 WEB-ACTIVEX YMMAPI.YMailAttach ActiveX clsid unicode access messenger.yahoo.com/security_update.php?id=120806 21132 attempted-user 2006-5966 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DA2BD42B-07E8-413A-9FEA-BB3B2E825340"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\4.*\3\.(Analizar|Reinicializar)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(Analizar|Reinicializar)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 9795 WEB-ACTIVEX Panda ActiveScan ActiveScan.1 ActiveX clsid access 21132 attempted-user 2006-5966 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|A|00|2|00|B|00|D|00|4|00|2|00|B|00|-|00|0|00|7|00|E|00|8|00|-|00|4|00|1|00|3|00|A|00|-|00|9|00|F|00|E|00|A|00|-|00|B|00|B|00|3|00|B|00|2|00|E|00|8|00|2|00|5|00|3|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x002\x00B\x00D\x004\x002\x00B\x00-\x000\x007\x00E\x008\x00-\x004\x001\x003\x00A\x00-\x009\x00F\x00E\x00A\x00-\x00B\x00B\x003\x00B\x002\x00E\x008\x002\x005\x003\x004\x000\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9796 WEB-ACTIVEX Panda ActiveScan ActiveScan.1 ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ActiveScan.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22ActiveScan.1\x22|\x27ActiveScan.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(Analizar|Reinicializar)\s*\(|.*\3\s*\.\s*(Analizar|Reinicializar)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ActiveScan.1\x22|\x27ActiveScan.1\x27)\s*\)(\s*\.\s*(Analizar|Reinicializar)\s*\(|.*\7\s*\.\s*(Analizar|Reinicializar)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9797 WEB-ACTIVEX Panda ActiveScan ActiveScan.1 ActiveX function call access 21132 attempted-user 2006-5966 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DA2BD42B-07E8-413A-9FEA-BB3B2E825340"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\4.*\3\.(ObtenerTamano)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA2BD42B-07E8-413A-9FEA-BB3B2E825340\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(ObtenerTamano)\(/si"; metadata:policy security-ips drop; classtype:attempted-user; 9798 WEB-ACTIVEX Panda ActiveScan PAVPZ.SOS.1 ActiveX clsid access 21132 attempted-user 2006-5966 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|A|00|2|00|B|00|D|00|4|00|2|00|B|00|-|00|0|00|7|00|E|00|8|00|-|00|4|00|1|00|3|00|A|00|-|00|9|00|F|00|E|00|A|00|-|00|B|00|B|00|3|00|B|00|2|00|E|00|8|00|2|00|5|00|3|00|4|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x002\x00B\x00D\x004\x002\x00B\x00-\x000\x007\x00E\x008\x00-\x004\x001\x003\x00A\x00-\x009\x00F\x00E\x00A\x00-\x00B\x00B\x003\x00B\x002\x00E\x008\x002\x005\x003\x004\x000\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9799 WEB-ACTIVEX Panda ActiveScan PAVPZ.SOS.1 ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PAVPZ.SOS.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22PAVPZ.SOS.1\x22|\x27PAVPZ.SOS.1\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(ObtenerTamano)\s*\(|.*\3\s*\.\s*(ObtenerTamano)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PAVPZ.SOS.1\x22|\x27PAVPZ.SOS.1\x27)\s*\)(\s*\.\s*(ObtenerTamano)\s*\(|.*\7\s*\.\s*(ObtenerTamano)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9800 WEB-ACTIVEX Panda ActiveScan PAVPZ.SOS.1 ActiveX function call access 21221 attempted-admin 2006-6076 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:37; dce_stub_data; byte_test:4,>,4096,0,relative,dce; content:"|05 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service dcerpc; classtype:attempted-admin; 9806 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGroupStatus overflow attempt www.lssec.com/advisories/LS-20060908.pdf 21607 attempted-user 2006-6603 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YMMAPI.YMailAttach"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22YMMAPI.YMailAttach\x22|\x27YMMAPI.YMailAttach\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(TextETACalculating)\s*\(|.*\3\s*\.\s*(TextETACalculating)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YMMAPI.YMailAttach\x22|\x27YMMAPI.YMailAttach\x27)\s*\)(\s*\.\s*(TextETACalculating)\s*\(|.*\7\s*\.\s*(TextETACalculating)\s*\()/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9812 WEB-ACTIVEX Yahoo Messenger YMailAttach ActiveX function call access messenger.yahoo.com/security_update.php?id=120806 20930 attempted-user 2006-5650 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"54BDE6EC-F42F-4500-AC46-905177444300"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*54BDE6EC-F42F-4500-AC46-905177444300\s*}?\4.*\3\.(DownloadAgent)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*54BDE6EC-F42F-4500-AC46-905177444300\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(DownloadAgent)\(/siO"; metadata:policy security-ips drop; classtype:attempted-user; 9814 WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX clsid access 20930 attempted-user 2006-5650 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|4|00|B|00|D|00|E|00|6|00|E|00|C|00|-|00|F|00|4|00|2|00|F|00|-|00|4|00|5|00|0|00|0|00|-|00|A|00|C|00|4|00|6|00|-|00|9|00|0|00|5|00|1|00|7|00|7|00|4|00|4|00|4|00|3|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x004\x00B\x00D\x00E\x006\x00E\x00C\x00-\x00F\x004\x002\x00F\x00-\x004\x005\x000\x000\x00-\x00A\x00C\x004\x006\x00-\x009\x000\x005\x001\x007\x007\x004\x004\x004\x003\x000\x000\x00(}\x00)?\5/siO"; metadata:policy security-ips drop; classtype:attempted-user; 9815 WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX clsid unicode access 20930 attempted-user 2006-5650 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ICQPhone.SipxPhoneManager"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ICQPhone.SipxPhoneManager(\.\d)?\x22|\x27ICQPhone.SipxPhoneManager(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DownloadAgent)\s*\(|.*(?P=v)\s*\.\s*(DownloadAgent)\s*\()|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ICQPhone.SipxPhoneManager(\.\d)?\x22|\x27ICQPhone.SipxPhoneManager(\.\d)?\x27)\s*\)(\s*\.\s*(DownloadAgent)\s*\(|.*(?P=n)\s*\.\s*(DownloadAgent)\s*\()/siO"; metadata:policy security-ips drop; classtype:attempted-user; 9816 WEB-ACTIVEX ICQPhone.SipxPhoneManager ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"127698E4-E730-4E5C-A2B1-21490A70C8A1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*127698E4-E730-4E5C-A2B1-21490A70C8A1\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 9817 WEB-ACTIVEX CEnroll.CEnroll.2 ActiveX clsid access osvdb.org/27230 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|2|00|7|00|6|00|9|00|8|00|E|00|4|00|-|00|E|00|7|00|3|00|0|00|-|00|4|00|E|00|5|00|C|00|-|00|A|00|2|00|B|00|1|00|-|00|2|00|1|00|4|00|9|00|0|00|A|00|7|00|0|00|C|00|8|00|A|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x002\x007\x006\x009\x008\x00E\x004\x00-\x00E\x007\x003\x000\x00-\x004\x00E\x005\x00C\x00-\x00A\x002\x00B\x001\x00-\x002\x001\x004\x009\x000\x00A\x007\x000\x00C\x008\x00A\x001\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9818 WEB-ACTIVEX CEnroll.CEnroll.2 ActiveX clsid unicode access osvdb.org/27230 19069 attempted-user 2006-3729 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OWC11.DataSourceControl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC11\.DataSourceControl(\.\d+)?\x22|\x27OWC11\.DataSourceControl(\.\d+)?\x27)\s*\)/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 9820 WEB-ACTIVEX OWC11.DataSourceControl.11 ActiveX function call access osvdb.org/27111 18946 attempted-user 2006-3591 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"438DA5E0-F171-11D0-984E-0000F80270F8"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*438DA5E0-F171-11D0-984E-0000F80270F8\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 9821 WEB-ACTIVEX TriEditDocument.TriEditDocument ActiveX clsid access osvdb.org/27056 18946 attempted-user 2006-3591 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|3|00|8|00|D|00|A|00|5|00|E|00|0|00|-|00|F|00|1|00|7|00|1|00|-|00|1|00|1|00|D|00|0|00|-|00|9|00|8|00|4|00|E|00|-|00|0|00|0|00|0|00|0|00|F|00|8|00|0|00|2|00|7|00|0|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x003\x008\x00D\x00A\x005\x00E\x000\x00-\x00F\x001\x007\x001\x00-\x001\x001\x00D\x000\x00-\x009\x008\x004\x00E\x00-\x000\x000\x000\x000\x00F\x008\x000\x002\x007\x000\x00F\x008\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9822 WEB-ACTIVEX TriEditDocument.TriEditDocument ActiveX clsid unicode access osvdb.org/27056 21831 attempted-user 2006-6838 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BADA82CB-BF48-4D76-9611-78E2C6F49F03\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 9824 WEB-ACTIVEX Rediff Bol Downloader ActiveX clsid access 21831 attempted-user 2006-6838 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|A|00|D|00|A|00|8|00|2|00|C|00|B|00|-|00|B|00|F|00|4|00|8|00|-|00|4|00|D|00|7|00|6|00|-|00|9|00|6|00|1|00|1|00|-|00|7|00|8|00|E|00|2|00|C|00|6|00|F|00|4|00|9|00|F|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00A\x00D\x00A\x008\x002\x00C\x00B\x00-\x00B\x00F\x004\x008\x00-\x004\x00D\x007\x006\x00-\x009\x006\x001\x001\x00-\x007\x008\x00E\x002\x00C\x006\x00F\x004\x009\x00F\x000\x003\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9825 WEB-ACTIVEX Rediff Bol Downloader ActiveX clsid unicode access 21831 attempted-user 2006-6838 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BOLDOWNLOADER.BolDownloaderCtrl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22BOLDOWNLOADER.BolDownloaderCtrl.1\x22|\x27BOLDOWNLOADER.BolDownloaderCtrl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BOLDOWNLOADER.BolDownloaderCtrl.1\x22|\x27BOLDOWNLOADER.BolDownloaderCtrl.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9826 WEB-ACTIVEX Rediff Bol Downloader ActiveX function call access 110 OS / Windows 22010 protocol-command-decode 2007-0168 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:191; content:"|05 00 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 10024 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ClientDBMiniAgentClose attempt www.lssec.com/advisories/LS-20061002.pdf 20365 attempted-admin 2006-5143 tcp $EXTERNAL_NET any -> $HOME_NET 6503 flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:45; dce_stub_data; byte_test:4,>,1,0,relative,dce; content:"|05 00|"; metadata:service dcerpc; classtype:attempted-admin; 10030 NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt 22005 attempted-admin 2007-0169 tcp $EXTERNAL_NET any -> $HOME_NET 6503 flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:47; dce_stub_data; byte_test:4,>,624,0,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 10036 NETBIOS DCERPC NCACN-IP-TCP brightstor ASRemotePFC overflow attempt www.kb.cert.org/vuls/id/180336 22005 attempted-admin 2007-0169 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:207; dce_stub_data; byte_test:4,>,1024,0,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 10117 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGCBHandleFromGroupName overflow attempt 22639 protocol-command-decode 2007-1070 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|04 00 03 00|"; within:4; byte_test:4,>,600,0,little,relative; content:"|05 00 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 10202 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 22639 protocol-command-decode 2007-1070 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|17 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; content:"|05 00 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 10208 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:367abb81-9844-35f1-ad32-98f038001003; dce_opnum:36; dce_stub_data; byte_test:4,=,1,24,relative,dce; content:"|00 00 00 00|"; within:4; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 10285 NETBIOS DCERPC NCACN-IP-TCP svcctl ChangeServiceConfig2A attempt 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"01010e00-5e80-11d8-9e86-0007e96c65ae"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*01010e00-5e80-11d8-9e86-0007e96c65ae\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(EnableExtension)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*01010e00-5e80-11d8-9e86-0007e96c65ae\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(EnableExtension))\s*\(/siO"; metadata:service http; classtype:attempted-user; 10393 WEB-ACTIVEX Symantec SupportSoft SmartIssue ActiveX clsid access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|1|00|0|00|1|00|0|00|e|00|0|00|0|00|-|00|5|00|e|00|8|00|0|00|-|00|1|00|1|00|d|00|8|00|-|00|9|00|e|00|8|00|6|00|-|00|0|00|0|00|0|00|7|00|e|00|9|00|6|00|c|00|6|00|5|00|a|00|e|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x001\x000\x001\x000\x00e\x000\x000\x00-\x005\x00e\x008\x000\x00-\x001\x001\x00d\x008\x00-\x009\x00e\x008\x006\x00-\x000\x000\x000\x007\x00e\x009\x006\x00c\x006\x005\x00a\x00e\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:service http; classtype:attempted-user; 10394 WEB-ACTIVEX Symantec SupportSoft SmartIssue ActiveX clsid unicode access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SPRT.SmartIssue"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22SPRT\.SmartIssue(\.\d)?\x22|\x27SPRT\.SmartIssue(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*EnableExtension\s*|.*(?P=v)\s*\.\s*EnableExtension\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SPRT\.SmartIssue(\.\d)?\x22|\x27SPRT\.SmartIssue(\.\d)?\x27)\s*\)(\s*\.\s*EnableExtension\s*|.*(?P=n)\s*\.\s*EnableExtension\s*)\s*\(/smiO"; metadata:service http; classtype:attempted-user; 10395 WEB-ACTIVEX Symantec SupportSoft SmartIssue ActiveX function call access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html 22551 rpc-portmap-decode 2007-0915 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 10408 RPC portmap HP-UX Single Logical Screen SLSD tcp request 22551 rpc-portmap-decode 2007-0915 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 10409 RPC portmap HP-UX Single Logical Screen SLSD udp request 22551 rpc-portmap-decode 2007-0915 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 10410 RPC portmap HP-UX Single Logical Screen SLSD tcp request 22551 rpc-portmap-decode 2007-0915 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 10411 RPC portmap HP-UX Single Logical Screen SLSD udp request 22994 protocol-command-decode 2007-1447 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:15,16,17; content:"|05 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 10486 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 15,16,17 attempt www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317 protocol-command-decode 2003-0605 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:3; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 11073 NETBIOS DCERPC NCACN-IP-TCP rpcss _RemoteGetClassObject attempt www.microsoft.com/technet/security/bulletin/MS03-039.mspx protocol-command-decode 2003-0605 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:3; content:"|04 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 11074 NETBIOS DCERPC NCADG-IP-UDP rpcss _RemoteGetClassObject attempt www.microsoft.com/technet/security/bulletin/MS03-039.mspx 16838 rpc-portmap-decode 2006-0900 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 11288 RPC portmap mountd tcp request 16838 rpc-portmap-decode 2006-0900 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; pcre:"/^[\x00\x80]\x00\x00\x00/s"; metadata:service sunrpc; classtype:rpc-portmap-decode; 11289 RPC portmap mountd tcp zero-length payload denial of service attempt attempted-admin 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:19; dce_stub_data; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 11442 NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt attempted-admin 2007-2446 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:19; dce_stub_data; isdataat:32,relative; pcre:"/^.{20}(.{4}).{4}(?!\1)/Rs"; content:"|04 00|"; metadata:service netbios-dgm; classtype:attempted-admin; 11443 NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt 24188 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXImageTransform.Microsoft.Chroma"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXImageTransform\.Microsoft\.Chroma\x22|\x27DXImageTransform\.Microsoft\.Chroma\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXImageTransform\.Microsoft\.Chroma\x22|\x27DXImageTransform\.Microsoft\.Chroma\x27)\s*\)/smi"; classtype:attempted-user; 11620 WEB-ACTIVEX DXImageTransform.Microsoft.Chroma ActiveX function call access www.securityfocus.com/archive/1/443907 24188 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|X|00|I|00|m|00|a|00|g|00|e|00|T|00|r|00|a|00|n|00|s|00|f|00|o|00|r|00|m|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|C|00|h|00|r|00|o|00|m|00|a|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00C\x00h\x00r\x00o\x00m\x00a\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)D\x00X\x00I\x00m\x00a\x00g\x00e\x00T\x00r\x00a\x00n\x00s\x00f\x00o\x00r\x00m\x00.\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00.\x00C\x00h\x00r\x00o\x00m\x00a\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11621 WEB-ACTIVEX DXImageTransform.Microsoft.Chroma ActiveX function call unicode access www.securityfocus.com/archive/1/443907 24094 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140050-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140050-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(DriverName)|<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140050-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(DriverName))\s*=/si"; classtype:attempted-user; 11624 WEB-ACTIVEX LeadTools ISIS ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html 24094 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|0|00|5|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11625 WEB-ACTIVEX LeadTools ISIS ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html 24094 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADIsis.LEADIsis"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADIsis\.LEADIsis\x22|\x27LEADIsis\.LEADIsis\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DriverName\s*|.*(?P=v)\s*\.\s*DriverName\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADIsis\.LEADIsis\x22|\x27LEADIsis\.LEADIsis\x27)\s*\)(\s*\.\s*DriverName\s*|.*(?P=n)\s*\.\s*DriverName)\s*=/smi"; classtype:attempted-user; 11626 WEB-ACTIVEX LeadTools ISIS ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html 24094 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|I|00|s|00|i|00|s|00|.|00|L|00|E|00|A|00|D|00|I|00|s|00|i|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q7>\x22|\x27|)L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00.\x00L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q8>\x22|\x27|)L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00.\x00L\x00E\x00A\x00D\x00I\x00s\x00i\x00s\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11627 WEB-ACTIVEX LeadTools ISIS ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-22-leadtools-isis-control.html 24040 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterVariant.LEADRasterVariant"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BitmapDataPath\s*|.*(?P=v)\s*\.\s*BitmapDataPath\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\)(\s*\.\s*BitmapDataPath\s*|.*(?P=n)\s*\.\s*BitmapDataPath)\s*=/smi"; classtype:attempted-user; 11628 WEB-ACTIVEX LeadTools JPEG 2000 COM Object ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-18-leadtools-jpeg-2000-com.html 24040 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11629 WEB-ACTIVEX LeadTools JPEG 2000 COM Object ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-18-leadtools-jpeg-2000-com.html 24133 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(Directory)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B79-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(Directory))\s*=/si"; classtype:attempted-user; 11630 WEB-ACTIVEX LeadTools Raster Dialog File Object ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html 24133 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|7|00|9|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q13>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11631 WEB-ACTIVEX LeadTools Raster Dialog File Object ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html 24133 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterDlgFile.LEADRasterDlgFile"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterDlgFile\.LEADRasterDlgFile\x22|\x27LEADRasterDlgFile\.LEADRasterDlgFile\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Directory\s*|.*(?P=v)\s*\.\s*Directory\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterDlgFile\.LEADRasterDlgFile\x22|\x27LEADRasterDlgFile\.LEADRasterDlgFile\x27)\s*\)(\s*\.\s*Directory\s*|.*(?P=n)\s*\.\s*Directory)\s*=/smi"; classtype:attempted-user; 11632 WEB-ACTIVEX LeadTools Raster Dialog File Object ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html 24133 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|l|00|g|00|F|00|i|00|l|00|e|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|l|00|g|00|F|00|i|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q15>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00l\x00g\x00F\x00i\x00l\x00e\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11633 WEB-ACTIVEX LeadTools Raster Dialog File Object ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-24-leadtools-raster-dialog-file.html 24153 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(DestinationPath)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140BB5-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(DestinationPath))\s*=/si"; classtype:attempted-user; 11634 WEB-ACTIVEX LeadTools Raster Dialog File_D Object ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html 24153 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|B|00|5|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q18>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11635 WEB-ACTIVEX LeadTools Raster Dialog File_D Object ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html 24153 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterDocument.LEADRasterDocument"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DestinationPath\s*|.*(?P=v)\s*\.\s*DestinationPath\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\)(\s*\.\s*DestinationPath\s*|.*(?P=n)\s*\.\s*DestinationPath)\s*=/smi"; classtype:attempted-user; 11636 WEB-ACTIVEX LeadTools Raster Dialog File_D Object ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html 24153 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q19>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q20>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11637 WEB-ACTIVEX LeadTools Raster Dialog File_D Object ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-25-leadtools-raster-dialog-filed.html 24179 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q21>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q21)(\s|>).*(?P=id1)\s*\.\s*(DictionaryFileName)|<object\s*[^>]*\s*classid\s*=\s*(?P<q22>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B30-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q22)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\s*\.\s*(DictionaryFileName))\s*=/si"; classtype:attempted-user; 11638 WEB-ACTIVEX LeadTools Raster Document Object Library ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html 24179 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|3|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q23>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q23)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11639 WEB-ACTIVEX LeadTools Raster Document Object Library ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html 24179 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterDocument.LEADRasterDocument"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DictionaryFileName\s*|.*(?P=v)\s*\.\s*DictionaryFileName\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterDocument\.LEADRasterDocument\x22|\x27LEADRasterDocument\.LEADRasterDocument\x27)\s*\)(\s*\.\s*DictionaryFileName\s*|.*(?P=n)\s*\.\s*DictionaryFileName)\s*=/smi"; classtype:attempted-user; 11640 WEB-ACTIVEX LeadTools Raster Document Object Library ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html 24179 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q24>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q24)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q25>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00(?P=q25)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11641 WEB-ACTIVEX LeadTools Raster Document Object Library ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html 24193 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140797-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q26>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140797-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q26)(\s|>).*(?P=id1)\s*\.\s*(DriverName)|<object\s*[^>]*\s*classid\s*=\s*(?P<q27>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140797-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q27)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\s*\.\s*(DriverName))\s*=/si"; classtype:attempted-user; 11642 WEB-ACTIVEX LeadTools Raster ISIS Object ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html 24193 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|7|00|9|00|7|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q28>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q28)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11643 WEB-ACTIVEX LeadTools Raster ISIS Object ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html 24193 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterISIS.LeadRasterISIS"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterISIS\.LeadRasterISIS\x22|\x27LEADRasterISIS\.LeadRasterISIS\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DriverName\s*|.*(?P=v)\s*\.\s*DriverName\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterISIS\.LeadRasterISIS\x22|\x27LEADRasterISIS\.LeadRasterISIS\x27)\s*\)(\s*\.\s*DriverName\s*|.*(?P=n)\s*\.\s*DriverName)\s*=/smi"; classtype:attempted-user; 11644 WEB-ACTIVEX LeadTools Raster ISIS Object ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html 24193 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|I|00|S|00|I|00|S|00|.|00|L|00|e|00|a|00|d|00|R|00|a|00|s|00|t|00|e|00|r|00|I|00|S|00|I|00|S|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q29>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00.\x00L\x00e\x00a\x00d\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00(?P=q29)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q30>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00.\x00L\x00e\x00a\x00d\x00R\x00a\x00s\x00t\x00e\x00r\x00I\x00S\x00I\x00S\x00(?P=q30)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11645 WEB-ACTIVEX LeadTools Raster ISIS Object ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html 24057 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140780-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q31>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140780-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q31)(\s|>).*(?P=id1)\s*\.\s*(BrowseDir)|<object\s*[^>]*\s*classid\s*=\s*(?P<q32>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140780-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q32)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\.(BrowseDir))\s*\(/si"; classtype:attempted-user; 11646 WEB-ACTIVEX LeadTools Raster Thumbnail Object Library ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html 24057 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|7|00|8|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q33>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q33)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11647 WEB-ACTIVEX LeadTools Raster Thumbnail Object Library ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html 24057 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterThumbnail.LEADRasterThumbnail"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterThumbnail\.LEADRasterThumbnail\x22|\x27LEADRasterThumbnail\.LEADRasterThumbnail\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=v)\s*\.\s*BrowseDir\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterThumbnail\.LEADRasterThumbnail\x22|\x27LEADRasterThumbnail\.LEADRasterThumbnail\x27)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=n)\s*\.\s*BrowseDir\s*)\s*\(/smi"; classtype:attempted-user; 11648 WEB-ACTIVEX LeadTools Raster Thumbnail Object Library ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html 24057 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|T|00|h|00|u|00|m|00|b|00|n|00|a|00|i|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q34>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00(?P=q34)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q35>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00T\x00h\x00u\x00m\x00b\x00n\x00a\x00i\x00l\x00(?P=q35)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11649 WEB-ACTIVEX LeadTools Raster Thumbnail Object Library ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-20-leadtools-raster-thumbnail.html 24075 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m15>\x22|\x27|)(?P<id1>.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P<q36>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q36)(\s|>).*(?P=id1)\s*\.\s*(WriteDataToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q37>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140B9B-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q37)(\s|>)[^>]*\s*id\s*=\s*(?P<m16>\x22|\x27|)(?P<id2>.+?)(?P=m16)(\s|>).*(?P=id2)\.(WriteDataToFile))\s*\(/si"; classtype:attempted-user; 11650 WEB-ACTIVEX LeadTools Raster Variant Object Library ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html 24075 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|B|00|9|00|B|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q38>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q38)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11651 WEB-ACTIVEX LeadTools Raster Variant Object Library ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html 24075 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADRasterVariant.LEADRasterVariant"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*WriteDataToFile\s*|.*(?P=v)\s*\.\s*WriteDataToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADRasterVariant\.LEADRasterVariant\x22|\x27LEADRasterVariant\.LEADRasterVariant\x27)\s*\)(\s*\.\s*WriteDataToFile\s*|.*(?P=n)\s*\.\s*WriteDataToFile\s*)\s*\(/smi"; classtype:attempted-user; 11652 WEB-ACTIVEX LeadTools Raster Variant Object Library ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html 24075 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|.|00|L|00|E|00|A|00|D|00|R|00|a|00|s|00|t|00|e|00|r|00|V|00|a|00|r|00|i|00|a|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q39>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q39)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q40>\x22|\x27|)L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00.\x00L\x00E\x00A\x00D\x00R\x00a\x00s\x00t\x00e\x00r\x00V\x00a\x00r\x00i\x00a\x00n\x00t\x00(?P=q40)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11653 WEB-ACTIVEX LeadTools Raster Variant Object Library ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-21-leadtools-raster-variant.html 24053 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00140200-B1BA-11CE-ABC6-F5B2E79D9E3F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m17>\x22|\x27|)(?P<id1>.+?)(?P=m17)(\s|>)[^>]*\s*classid\s*=\s*(?P<q41>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140200-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q41)(\s|>).*(?P=id1)\s*\.\s*(BrowseDir)|<object\s*[^>]*\s*classid\s*=\s*(?P<q42>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*00140200-B1BA-11CE-ABC6-F5B2E79D9E3F\s*}?\s*(?P=q42)(\s|>)[^>]*\s*id\s*=\s*(?P<m18>\x22|\x27|)(?P<id2>.+?)(?P=m18)(\s|>).*(?P=id2)\.(BrowseDir))\s*\(/si"; classtype:attempted-user; 11654 WEB-ACTIVEX LeadTools Thumbnail Browser Control ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html 24053 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|1|00|4|00|0|00|2|00|0|00|0|00|-|00|B|00|1|00|B|00|A|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|C|00|6|00|-|00|F|00|5|00|B|00|2|00|E|00|7|00|9|00|D|00|9|00|E|00|3|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q43>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q43)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11655 WEB-ACTIVEX LeadTools Thumbnail Browser Control ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html 24053 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LEADThumb.LEADThumb"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22LEADThumb\.LEADThumb\x22|\x27LEADThumb\.LEADThumb\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=v)\s*\.\s*BrowseDir\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LEADThumb\.LEADThumb\x22|\x27LEADThumb\.LEADThumb\x27)\s*\)(\s*\.\s*BrowseDir\s*|.*(?P=n)\s*\.\s*BrowseDir\s*)\s*\(/smi"; classtype:attempted-user; 11656 WEB-ACTIVEX LeadTools Thumbnail Browser Control ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html 24053 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|E|00|A|00|D|00|T|00|h|00|u|00|m|00|b|00|.|00|L|00|E|00|A|00|D|00|T|00|h|00|u|00|m|00|b|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q44>\x22|\x27|)L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00.\x00L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00(?P=q44)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q45>\x22|\x27|)L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00.\x00L\x00E\x00A\x00D\x00T\x00h\x00u\x00m\x00b\x00(?P=q45)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11657 WEB-ACTIVEX LeadTools Thumbnail Browser Control ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-19-leadtools-thumbnail-browser.html 24099 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(QuickZip)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42BA826E-F8D8-4D8D-8C05-14ABCE00D4DD\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(QuickZip))\s*\(/si"; classtype:attempted-user; 11658 WEB-ACTIVEX Dart ZipLite Compression ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-22-bonus-dart-ziplite-compression.html 24099 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|B|00|A|00|8|00|2|00|6|00|E|00|-|00|F|00|8|00|D|00|8|00|-|00|4|00|D|00|8|00|D|00|-|00|8|00|C|00|0|00|5|00|-|00|1|00|4|00|A|00|B|00|C|00|E|00|0|00|0|00|D|00|4|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11659 WEB-ACTIVEX Dart ZipLite Compression ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-22-bonus-dart-ziplite-compression.html 24883 attempted-user 2007-3703 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DBDDA6-9A80-42A4-B824-9BC50CC172F5\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Fill|DebugMsgLog|DownloadFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*59DBDDA6-9A80-42A4-B824-9BC50CC172F5\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(Fill|DebugMsgLog|DownloadFile))\s*\(/siO"; classtype:attempted-user; 11673 WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid access 24883 attempted-user 2007-3703 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|9|00|D|00|B|00|D|00|D|00|A|00|6|00|-|00|9|00|A|00|8|00|0|00|-|00|4|00|2|00|A|00|4|00|-|00|B|00|8|00|2|00|4|00|-|00|9|00|B|00|C|00|5|00|0|00|C|00|C|00|1|00|7|00|2|00|F|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11674 WEB-ACTIVEX Zenturi ProgramChecker ActiveX clsid unicode access 24883 attempted-user 2007-3703 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SafeAndSoundATL.NixonConfigMgrEx"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22SafeAndSoundATL\.NixonConfigMgrEx\x22|\x27SafeAndSoundATL\.NixonConfigMgrEx\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*|.*(?P=v)\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SafeAndSoundATL\.NixonConfigMgrEx\x22|\x27SafeAndSoundATL\.NixonConfigMgrEx\x27)\s*\)(\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*|.*(?P=n)\s*\.\s*(Fill|DebugMsgLog|DownloadFile)\s*)\s*\(/siO"; classtype:attempted-user; 11675 WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call access 24883 attempted-user 2007-3703 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|a|00|f|00|e|00|A|00|n|00|d|00|S|00|o|00|u|00|n|00|d|00|A|00|T|00|L|00|.|00|N|00|i|00|x|00|o|00|n|00|C|00|o|00|n|00|f|00|i|00|g|00|M|00|g|00|r|00|E|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00C\x00o\x00n\x00f\x00i\x00g\x00M\x00g\x00r\x00E\x00x\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00C\x00o\x00n\x00f\x00i\x00g\x00M\x00g\x00r\x00E\x00x\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; classtype:attempted-user; 11676 WEB-ACTIVEX Zenturi ProgramChecker ActiveX function call unicode access 24279 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(URL)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AA0FB75C-C50E-47B6-B7E0-3B9C3FAA8AC4\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(URL))\s*=/si"; classtype:attempted-user; 11677 WEB-ACTIVEX Provideo Camimage Class ISSCamControl ActiveX clsid access 24279 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|A|00|0|00|F|00|B|00|7|00|5|00|C|00|-|00|C|00|5|00|0|00|E|00|-|00|4|00|7|00|B|00|6|00|-|00|B|00|7|00|E|00|0|00|-|00|3|00|B|00|9|00|C|00|3|00|F|00|A|00|A|00|8|00|A|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11678 WEB-ACTIVEX Provideo Camimage Class ISSCamControl ActiveX clsid unicode access 11922 misc-attack 2004-0567 tcp $EXTERNAL_NET any -> $HOME_NET 42 flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; content:!"|00 00 00 02|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:16; pcre:"/^.{20}([\x01-\xff]|0x00[\x01-\xff]|\x00{2}[\x02-\xff]|\x00{2}\x01[\x15-\xff])/s"; classtype:misc-attack; 11684 EXPLOIT WINS overflow attempt www.microsoft.com/technet/security/bulletin/MS04-045.mspx 11372 attempted-admin 2004-0206 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|01 00 00 00|"; depth:4; offset:36; content:!"|03 00|"; depth:2; offset:44; byte_jump:2,50, from_beginning; content:!"|00|"; within:34; distance:58; classtype:attempted-admin; 11816 NETBIOS Session Service NetDDE attack 24341 attempted-user 2007-3148 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9D39223E-AE8E-11D4-8FD3-00D0B7730277"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9D39223E-AE8E-11D4-8FD3-00D0B7730277\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(server)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9D39223E-AE8E-11D4-8FD3-00D0B7730277\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(server))\s*=/si"; classtype:attempted-user; 11818 WEB-ACTIVEX Yahoo Webcam Viewer Wrapper ActiveX clsid access www.frsirt.com/english/advisories/2007/2094 24341 attempted-user 2007-3148 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|D|00|3|00|9|00|2|00|2|00|3|00|E|00|-|00|A|00|E|00|8|00|E|00|-|00|1|00|1|00|D|00|4|00|-|00|8|00|F|00|D|00|3|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|7|00|3|00|0|00|2|00|7|00|7|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11819 WEB-ACTIVEX Yahoo Webcam Viewer Wrapper ActiveX clsid unicode access www.frsirt.com/english/advisories/2007/2094 24341 attempted-user 2007-3148 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YWcVwr.WcViewer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YWcVwr\.WcViewer\x22|\x27YWcVwr\.WcViewer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*server\s*|.*(?P=v)\s*\.\s*server\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YWcVwr\.WcViewer\x22|\x27YWcVwr\.WcViewer\x27)\s*\)(\s*\.\s*server\s*|.*(?P=n)\s*\.\s*server)\s*=/smi"; classtype:attempted-user; 11820 WEB-ACTIVEX Yahoo Webcam Viewer Wrapper ActiveX function call access www.frsirt.com/english/advisories/2007/2094 24341 attempted-user 2007-3148 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|W|00|c|00|V|00|w|00|r|00|.|00|W|00|c|00|V|00|i|00|e|00|w|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)Y\x00W\x00c\x00V\x00w\x00r\x00.\x00W\x00c\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)Y\x00W\x00c\x00V\x00w\x00r\x00.\x00W\x00c\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11821 WEB-ACTIVEX Yahoo Webcam Viewer Wrapper ActiveX function call unicode access www.frsirt.com/english/advisories/2007/2094 attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EEE78591-FE22-11D0-8BEF-0060081841DE"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EEE78591-FE22-11D0-8BEF-0060081841DE\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Find)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EEE78591-FE22-11D0-8BEF-0060081841DE\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Find))\s*\(/Osi"; classtype:attempted-user; 11826 WEB-ACTIVEX Microsoft Voice Control ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|E|00|E|00|7|00|8|00|5|00|9|00|1|00|-|00|F|00|E|00|2|00|2|00|-|00|1|00|1|00|D|00|0|00|-|00|8|00|B|00|E|00|F|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|1|00|8|00|4|00|1|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 11827 WEB-ACTIVEX Microsoft Voice Control ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectSS.DirectSS"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DirectSS\.DirectSS\x22|\x27DirectSS\.DirectSS\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Find\s*|.*(?P=v)\s*\.\s*Find\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DirectSS\.DirectSS\x22|\x27DirectSS\.DirectSS\x27)\s*\)(\s*\.\s*Find\s*|.*(?P=n)\s*\.\s*Find\s*)\s*\(/Osmi"; classtype:attempted-user; 11828 WEB-ACTIVEX Microsoft Voice Control ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|i|00|r|00|e|00|c|00|t|00|S|00|S|00|.|00|D|00|i|00|r|00|e|00|c|00|t|00|S|00|S|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00S\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 11829 WEB-ACTIVEX Microsoft Voice Control ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4E3D9D1F-0C63-11D1-8BFB-0060081841DE"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4E3D9D1F-0C63-11D1-8BFB-0060081841DE\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Find)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4E3D9D1F-0C63-11D1-8BFB-0060081841DE\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(Find))\s*\(/Osi"; classtype:attempted-user; 11830 WEB-ACTIVEX Microsoft Direct Speech Recognition ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|E|00|3|00|D|00|9|00|D|00|1|00|F|00|-|00|0|00|C|00|6|00|3|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|B|00|F|00|B|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|1|00|8|00|4|00|1|00|D|00|E|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 11831 WEB-ACTIVEX Microsoft Direct Speech Recognition ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DirectSR.DirectSR"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DirectSR\.DirectSR\x22|\x27DirectSR\.DirectSR\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Find\s*|.*(?P=v)\s*\.\s*Find\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DirectSR\.DirectSR\x22|\x27DirectSR\.DirectSR\x27)\s*\)(\s*\.\s*Find\s*|.*(?P=n)\s*\.\s*Find\s*)\s*\(/Osmi"; classtype:attempted-user; 11832 WEB-ACTIVEX Microsoft Direct Speech Recognition ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-2222 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|i|00|r|00|e|00|c|00|t|00|S|00|R|00|.|00|D|00|i|00|r|00|e|00|c|00|t|00|S|00|R|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00.\x00D\x00i\x00r\x00e\x00c\x00t\x00S\x00R\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 11833 WEB-ACTIVEX Microsoft Direct Speech Recognition ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-034.mspx 24440 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D8541765-F6D2-4EE1-AEAA-4016BE1D9859"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D8541765-F6D2-4EE1-AEAA-4016BE1D9859\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveImage)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D8541765-F6D2-4EE1-AEAA-4016BE1D9859\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveImage))\s*\(/si"; classtype:attempted-user; 11839 WEB-ACTIVEX TEC-IT TBarCode ActiveX clsid access 24440 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|8|00|5|00|4|00|1|00|7|00|6|00|5|00|-|00|F|00|6|00|D|00|2|00|-|00|4|00|E|00|E|00|1|00|-|00|A|00|E|00|A|00|A|00|-|00|4|00|0|00|1|00|6|00|B|00|E|00|1|00|D|00|9|00|8|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11840 WEB-ACTIVEX TEC-IT TBarCode ActiveX clsid unicode access 24440 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TBarCode7.TBarCode7"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22TBarCode7\.TBarCode7\x22|\x27TBarCode7\.TBarCode7\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveImage\s*|.*(?P=v)\s*\.\s*SaveImage\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TBarCode7\.TBarCode7\x22|\x27TBarCode7\.TBarCode7\x27)\s*\)(\s*\.\s*SaveImage\s*|.*(?P=n)\s*\.\s*SaveImage\s*)\s*\(/smi"; classtype:attempted-user; 11841 WEB-ACTIVEX TEC-IT TBarCode ActiveX function call access 24440 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"T|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|7|00|.|00|T|00|B|00|a|00|r|00|C|00|o|00|d|00|e|00|7|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00.\x00T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00.\x00T\x00B\x00a\x00r\x00C\x00o\x00d\x00e\x007\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11842 WEB-ACTIVEX TEC-IT TBarCode ActiveX function call unicode access 14514 attempted-admin 2005-1984 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:5; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,28,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 11843 NETBIOS DCERPC NCACN-IP-TCP spoolss AddPrinter overflow attempt www.microsoft.com/technet/security/bulletin/MS05-043.mspx 24400 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|A|00|6|00|4|00|6|00|6|00|7|00|2|00|-|00|9|00|C|00|3|00|A|00|-|00|4|00|C|00|2|00|8|00|-|00|9|00|A|00|7|00|A|00|-|00|1|00|F|00|B|00|0|00|F|00|6|00|3|00|F|00|2|00|8|00|B|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11939 WEB-ACTIVEX Westbyte Internet Download Accelerator ActiveX clsid unicode access 24400 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"idaiehlp.IDAIEHelper"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22idaiehlp\.IDAIEHelper\x22|\x27idaiehlp\.IDAIEHelper\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22idaiehlp\.IDAIEHelper\x22|\x27idaiehlp\.IDAIEHelper\x27)\s*\)/smi"; classtype:attempted-user; 11940 WEB-ACTIVEX Westbyte Internet Download Accelerator ActiveX function call access 24400 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"i|00|d|00|a|00|i|00|e|00|h|00|l|00|p|00|.|00|I|00|D|00|A|00|I|00|E|00|H|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)i\x00d\x00a\x00i\x00e\x00h\x00l\x00p\x00.\x00I\x00D\x00A\x00I\x00E\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)i\x00d\x00a\x00i\x00e\x00h\x00l\x00p\x00.\x00I\x00D\x00A\x00I\x00E\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11941 WEB-ACTIVEX Westbyte Internet Download Accelerator ActiveX function call unicode access 24400 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2A646672-9C3A-4C28-9A7A-1FB0F63F28B6"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A646672-9C3A-4C28-9A7A-1FB0F63F28B6\s*}?\s*(?P=q1)(\s|>)/si"; classtype:attempted-user; 11942 WEB-ACTIVEX Westbyte internet download accelerator ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C6A96E83-F5AF-4BD4-9BDD-7B18444F814F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C6A96E83-F5AF-4BD4-9BDD-7B18444F814F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DialNumber)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C6A96E83-F5AF-4BD4-9BDD-7B18444F814F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DialNumber))\s*\(/si"; classtype:attempted-user; 11943 WEB-ACTIVEX HP ModemUtil ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|6|00|A|00|9|00|6|00|E|00|8|00|3|00|-|00|F|00|5|00|A|00|F|00|-|00|4|00|B|00|D|00|4|00|-|00|9|00|B|00|D|00|D|00|-|00|7|00|B|00|1|00|8|00|4|00|4|00|4|00|F|00|8|00|1|00|4|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11944 WEB-ACTIVEX HP ModemUtil ActiveX clsid unicode access protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11945 NETBIOS SMB Trans2 OPEN2 maximum param count overflow attempt 11372 attempted-admin 2004-0206 udp $EXTERNAL_NET any -> $HOME_NET 139 content:"|10|"; depth:1; content:"|01 00 00 00|"; depth:4; offset:114; content:!"|03 00|"; depth:2; offset:122; byte_jump:2,128,from_beginning; content:!"|00|"; within:34; distance:136; classtype:attempted-admin; 11946 NETBIOS Datagram Service NetDDE attack trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"@|11 00 00 00 00 00 00 1C 00 00 00 10 00 03 00 00 00 01 00 02 00|"; depth:22; classtype:trojan-activity; 11951 BACKDOOR winshadow runtime detection - init connection request www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036 trojan-activity udp $HOME_NET 3262 -> $EXTERNAL_NET any flow:to_client; content:"|03 00 00 00 01 00 02 00 00 00 00 00|"; depth:12; offset:5; classtype:trojan-activity; 11952 BACKDOOR winshadow runtime detection - udp response www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036 protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11955 NETBIOS SMB-DS Trans2 OPEN2 maximum param count overflow attempt protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11956 NETBIOS SMB-DS Trans2 OPEN2 unicode maximum param count overflow attempt protocol-command-decode 2003-0201 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11957 NETBIOS-DG SMB Trans2 OPEN2 maximum param count overflow attempt protocol-command-decode 2003-0201 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11958 NETBIOS-DG SMB Trans2 OPEN2 unicode maximum param count overflow attempt protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11959 NETBIOS SMB Trans2 OPEN2 andx maximum param count overflow attempt protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11960 NETBIOS SMB Trans2 OPEN2 unicode andx maximum param count overflow attempt protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11961 NETBIOS SMB-DS Trans2 OPEN2 andx maximum param count overflow attempt protocol-command-decode 2003-0201 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11962 NETBIOS SMB-DS Trans2 OPEN2 unicode andx maximum param count overflow attempt protocol-command-decode 2003-0201 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11963 NETBIOS-DG SMB Trans2 OPEN2 andx maximum param count overflow attempt protocol-command-decode 2003-0201 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; classtype:protocol-command-decode; 11964 NETBIOS-DG SMB Trans2 OPEN2 unicode andx maximum param count overflow attempt 24656 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A77849B6-6125-4466-88DC-4855C014A0C4"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A77849B6-6125-4466-88DC-4855C014A0C4\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CreateFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A77849B6-6125-4466-88DC-4855C014A0C4\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(CreateFile))\s*\(/si"; classtype:attempted-user; 12015 WEB-ACTIVEX NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid access nctsoft.com/products/NCTAudioStudio2/ 24656 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|7|00|7|00|8|00|4|00|9|00|B|00|6|00|-|00|6|00|1|00|2|00|5|00|-|00|4|00|4|00|6|00|6|00|-|00|8|00|8|00|D|00|C|00|-|00|4|00|8|00|5|00|5|00|C|00|0|00|1|00|4|00|A|00|0|00|C|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12016 WEB-ACTIVEX NCTAudioStudio2 NCT WavChunksEditor ActiveX clsid unicode access nctsoft.com/products/NCTAudioStudio2/ 24656 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NCTWavChunksEditor2.WavChunksEditor2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NCTWavChunksEditor2\.WavChunksEditor2\x22|\x27NCTWavChunksEditor2\.WavChunksEditor2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=v)\s*\.\s*CreateFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTWavChunksEditor2\.WavChunksEditor2\x22|\x27NCTWavChunksEditor2\.WavChunksEditor2\x27)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=n)\s*\.\s*CreateFile\s*)\s*\(/smi"; classtype:attempted-user; 12017 WEB-ACTIVEX NCTAudioStudio2 NCT WavChunksEditor ActiveX function call access nctsoft.com/products/NCTAudioStudio2/ 24656 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|C|00|T|00|W|00|a|00|v|00|C|00|h|00|u|00|n|00|k|00|s|00|E|00|d|00|i|00|t|00|o|00|r|00|2|00|.|00|W|00|a|00|v|00|C|00|h|00|u|00|n|00|k|00|s|00|E|00|d|00|i|00|t|00|o|00|r|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)N\x00C\x00T\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00.\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)N\x00C\x00T\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00.\x00W\x00a\x00v\x00C\x00h\x00u\x00n\x00k\x00s\x00E\x00d\x00i\x00t\x00o\x00r\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12018 WEB-ACTIVEX NCTAudioStudio2 NCT WavChunksEditor ActiveX function call unicode access nctsoft.com/products/NCTAudioStudio2/ 24613 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6ED74AE3-8066-4385-AABA-243E033F75A3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CreateFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6ED74AE3-8066-4385-AABA-243E033F75A3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(CreateFile))\s*\(/si"; classtype:attempted-user; 12019 WEB-ACTIVEX NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid access nctsoft.com/products/NCTAudioEditor2/ 24613 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|E|00|D|00|7|00|4|00|A|00|E|00|3|00|-|00|8|00|0|00|6|00|6|00|-|00|4|00|3|00|8|00|5|00|-|00|A|00|A|00|B|00|A|00|-|00|2|00|4|00|3|00|E|00|0|00|3|00|3|00|F|00|7|00|5|00|A|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12020 WEB-ACTIVEX NCTsoft NCTAudioFile2 NCTWMAFile ActiveX clsid unicode access nctsoft.com/products/NCTAudioEditor2/ 24613 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NCTWMAFile2.WMAFile2"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NCTWMAFile2\.WMAFile2\x22|\x27NCTWMAFile2\.WMAFile2\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=v)\s*\.\s*CreateFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCTWMAFile2\.WMAFile2\x22|\x27NCTWMAFile2\.WMAFile2\x27)\s*\)(\s*\.\s*CreateFile\s*|.*(?P=n)\s*\.\s*CreateFile\s*)\s*\(/smi"; classtype:attempted-user; 12021 WEB-ACTIVEX NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call access nctsoft.com/products/NCTAudioEditor2/ 24613 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|C|00|T|00|W|00|M|00|A|00|F|00|i|00|l|00|e|00|2|00|.|00|W|00|M|00|A|00|F|00|i|00|l|00|e|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)N\x00C\x00T\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00.\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)N\x00C\x00T\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00.\x00W\x00M\x00A\x00F\x00i\x00l\x00e\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12022 WEB-ACTIVEX NCTsoft NCTAudioFile2 NCTWMAFile ActiveX function call unicode access nctsoft.com/products/NCTAudioEditor2/ 24678 attempted-user 2007-3487 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9C0A0321-B328-466C-8ECA-B9A5522466D3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9C0A0321-B328-466C-8ECA-B9A5522466D3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(saveXMLAsFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9C0A0321-B328-466C-8ECA-B9A5522466D3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(saveXMLAsFile))\s*\(/si"; classtype:attempted-user; 12029 WEB-ACTIVEX HP Digital Imaging hpqxml.dll ActiveX clsid access www.securityfocus.com/archive/1/472384 24678 attempted-user 2007-3487 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|C|00|0|00|A|00|0|00|3|00|2|00|1|00|-|00|B|00|3|00|2|00|8|00|-|00|4|00|6|00|6|00|C|00|-|00|8|00|E|00|C|00|A|00|-|00|B|00|9|00|A|00|5|00|5|00|2|00|2|00|4|00|6|00|6|00|D|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12030 WEB-ACTIVEX HP Digital Imaging hpqxml.dll ActiveX clsid unicode access www.securityfocus.com/archive/1/472384 9633 attempted-admin 2003-0818 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Authorization|3A| Negotiate "; nocase; http_header; pcre:"/^Authorization\x3a\s*Negotiate\s*((YE4G.{40}LgMc)|(YIIQ.{40}QUFB))/smiH"; classtype:attempted-admin; 12058 SPECIFIC-THREATS Microsoft SPNEGO ASN.1 library heap corruption overflow attempt www.microsoft.com/technet/security/bulletin/MS04-007.mspx 24730 attempted-user 2007-3554 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"156BF4B7-AE3A-4365-BD88-95A75AF8F09D"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*156BF4B7-AE3A-4365-BD88-95A75AF8F09D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(queryHub)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*156BF4B7-AE3A-4365-BD88-95A75AF8F09D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(queryHub))\s*=/si"; classtype:attempted-user; 12062 WEB-ACTIVEX HP Instant Support ActiveX clsid access h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597 24730 attempted-user 2007-3554 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|5|00|6|00|B|00|F|00|4|00|B|00|7|00|-|00|A|00|E|00|3|00|A|00|-|00|4|00|3|00|6|00|5|00|-|00|B|00|D|00|8|00|8|00|-|00|9|00|5|00|A|00|7|00|5|00|A|00|F|00|8|00|F|00|0|00|9|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12063 WEB-ACTIVEX HP Instant Support ActiveX clsid unicode access h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01077597 24959 attempted-user 2007-3883 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5407153D-022F-4CD2-8BFF-465569BC5DB8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5407153D-022F-4CD2-8BFF-465569BC5DB8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Save|SaveLayoutChanges|SaveMenuUsageData))\s*\(/si"; classtype:attempted-user; 12083 WEB-ACTIVEX Data Dynamics ActiveBar Actbar3 ActiveX clsid access 24959 attempted-user 2007-3883 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|4|00|0|00|7|00|1|00|5|00|3|00|D|00|-|00|0|00|2|00|2|00|F|00|-|00|4|00|C|00|D|00|2|00|-|00|8|00|B|00|F|00|F|00|-|00|4|00|6|00|5|00|5|00|6|00|9|00|B|00|C|00|5|00|D|00|B|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12084 WEB-ACTIVEX Data Dynamics ActiveBar Actbar3 ActiveX clsid unicode access 24959 attempted-user 2007-3883 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ActiveBar3Library.ActiveBar3"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ActiveBar3Library\.ActiveBar3\x22|\x27ActiveBar3Library\.ActiveBar3\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*|.*(?P=v)\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ActiveBar3Library\.ActiveBar3\x22|\x27ActiveBar3Library\.ActiveBar3\x27)\s*\)(\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*|.*(?P=n)\s*\.\s*(Save|SaveLayoutChanges|SaveMenuUsageData)\s*)\s*\(/smi"; classtype:attempted-user; 12085 WEB-ACTIVEX Data Dynamics ActiveBar Actbar3 ActiveX function call access 24959 attempted-user 2007-3883 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|c|00|t|00|i|00|v|00|e|00|B|00|a|00|r|00|3|00|L|00|i|00|b|00|r|00|a|00|r|00|y|00|.|00|A|00|c|00|t|00|i|00|v|00|e|00|B|00|a|00|r|00|3|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00L\x00i\x00b\x00r\x00a\x00r\x00y\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00L\x00i\x00b\x00r\x00a\x00r\x00y\x00.\x00A\x00c\x00t\x00i\x00v\x00e\x00B\x00a\x00r\x003\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12086 WEB-ACTIVEX Data Dynamics ActiveBar Actbar3 ActiveX function call unicode access 21697 attempted-user 2006-6707 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3E1DD897-F300-486C-BEAF-711183773554"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3E1DD897-F300-486C-BEAF-711183773554\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(TraceTarget)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3E1DD897-F300-486C-BEAF-711183773554\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(TraceTarget))\s*\(/siO"; classtype:attempted-user; 12087 WEB-ACTIVEX McAfee NeoTrace ActiveX clsid access 21697 attempted-user 2006-6707 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|E|00|1|00|D|00|D|00|8|00|9|00|7|00|-|00|F|00|3|00|0|00|0|00|-|00|4|00|8|00|6|00|C|00|-|00|B|00|E|00|A|00|F|00|-|00|7|00|1|00|1|00|1|00|8|00|3|00|7|00|7|00|3|00|5|00|5|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12088 WEB-ACTIVEX McAfee NeoTrace ActiveX clsid unicode access 21697 attempted-user 2006-6707 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NeoTraceExplorer.NeoTraceLoader"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NeoTraceExplorer\.NeoTraceLoader\x22|\x27NeoTraceExplorer\.NeoTraceLoader\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*TraceTarget\s*|.*(?P=v)\s*\.\s*TraceTarget\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NeoTraceExplorer\.NeoTraceLoader\x22|\x27NeoTraceExplorer\.NeoTraceLoader\x27)\s*\)(\s*\.\s*TraceTarget\s*|.*(?P=n)\s*\.\s*TraceTarget\s*)\s*\(/siO"; classtype:attempted-user; 12089 WEB-ACTIVEX McAfee NeoTrace ActiveX function call access 21697 attempted-user 2006-6707 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|e|00|o|00|T|00|r|00|a|00|c|00|e|00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|.|00|N|00|e|00|o|00|T|00|r|00|a|00|c|00|e|00|L|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00.\x00N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00E\x00x\x00p\x00l\x00o\x00r\x00e\x00r\x00.\x00N\x00e\x00o\x00T\x00r\x00a\x00c\x00e\x00L\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; classtype:attempted-user; 12090 WEB-ACTIVEX McAfee NeoTrace ActiveX function call unicode access 24882 attempted-user 2007-3785 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; classtype:attempted-user; 12091 WEB-ACTIVEX EldoS SecureBlackbox PGPBBox ActiveX clsid access 24882 attempted-user 2007-3785 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|2|00|2|00|B|00|B|00|4|00|3|00|5|00|-|00|9|00|B|00|7|00|F|00|-|00|4|00|B|00|1|00|F|00|-|00|A|00|C|00|B|00|D|00|-|00|C|00|D|00|3|00|6|00|D|00|3|00|4|00|D|00|6|00|D|00|F|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12092 WEB-ACTIVEX EldoS SecureBlackbox PGPBBox ActiveX clsid unicode access 24882 attempted-user 2007-3785 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"pgpbbox.ElPGPJpegImageX"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22pgpbbox\.ElPGPJpegImageX\x22|\x27pgpbbox\.ElPGPJpegImageX\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=v)\s*\.\s*SaveToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22pgpbbox\.ElPGPJpegImageX\x22|\x27pgpbbox\.ElPGPJpegImageX\x27)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=n)\s*\.\s*SaveToFile\s*)\s*\(/smi"; classtype:attempted-user; 12093 WEB-ACTIVEX EldoS SecureBlackbox PGPBBox ActiveX function call access 24882 attempted-user 2007-3785 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"p|00|g|00|p|00|b|00|b|00|o|00|x|00|.|00|E|00|l|00|P|00|G|00|P|00|J|00|p|00|e|00|g|00|I|00|m|00|a|00|g|00|e|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)p\x00g\x00p\x00b\x00b\x00o\x00x\x00.\x00E\x00l\x00P\x00G\x00P\x00J\x00p\x00e\x00g\x00I\x00m\x00a\x00g\x00e\x00X\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)p\x00g\x00p\x00b\x00b\x00o\x00x\x00.\x00E\x00l\x00P\x00G\x00P\x00J\x00p\x00e\x00g\x00I\x00m\x00a\x00g\x00e\x00X\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12094 WEB-ACTIVEX EldoS SecureBlackbox PGPBBox ActiveX function call unicode access 24947 attempted-admin 2007-3825 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:3d742890-397c-11cf-9bf1-00805f88cb72; dce_opnum:16,23; dce_stub_data; byte_test:4,>,200,12,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 12100 NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23 overflow attempt supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp 25025 attempted-user 2007-3984 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6754F588-E262-42D2-A6BC-3BB400ACFEED"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6754F588-E262-42D2-A6BC-3BB400ACFEED\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Scan)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6754F588-E262-42D2-A6BC-3BB400ACFEED\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Scan))\s*\(/si"; classtype:attempted-user; 12116 WEB-ACTIVEX Zenturi ProgramChecker SASATL ActiveX clsid access 25025 attempted-user 2007-3984 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|7|00|5|00|4|00|F|00|5|00|8|00|8|00|-|00|E|00|2|00|6|00|2|00|-|00|4|00|2|00|D|00|2|00|-|00|A|00|6|00|B|00|C|00|-|00|3|00|B|00|B|00|4|00|0|00|0|00|A|00|C|00|F|00|E|00|E|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12117 WEB-ACTIVEX Zenturi ProgramChecker SASATL ActiveX clsid unicode access 25025 attempted-user 2007-3984 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SafeAndSoundATL.NixonMyPrograms"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22SafeAndSoundATL\.NixonMyPrograms\x22|\x27SafeAndSoundATL\.NixonMyPrograms\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Scan\s*|.*(?P=v)\s*\.\s*Scan\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SafeAndSoundATL\.NixonMyPrograms\x22|\x27SafeAndSoundATL\.NixonMyPrograms\x27)\s*\)(\s*\.\s*Scan\s*|.*(?P=n)\s*\.\s*Scan\s*)\s*\(/smi"; classtype:attempted-user; 12118 WEB-ACTIVEX Zenturi ProgramChecker SASATL ActiveX function call access 25025 attempted-user 2007-3984 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|a|00|f|00|e|00|A|00|n|00|d|00|S|00|o|00|u|00|n|00|d|00|A|00|T|00|L|00|.|00|N|00|i|00|x|00|o|00|n|00|M|00|y|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00M\x00y\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)S\x00a\x00f\x00e\x00A\x00n\x00d\x00S\x00o\x00u\x00n\x00d\x00A\x00T\x00L\x00.\x00N\x00i\x00x\x00o\x00n\x00M\x00y\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12119 WEB-ACTIVEX Zenturi ProgramChecker SASATL ActiveX function call unicode access trojan-activity tcp $EXTERNAL_NET 443 -> $HOME_NET any flow:from_server,established; flowbits:isset,AccessRemotePC_RPCdetection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; classtype:trojan-activity; 12145 BACKDOOR access remote pc runtime detection - rpc setup research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373 25050 attempted-user 2007-3302 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"41266C21-18D8-414B-88C0-8DCA6C25CEA0"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*41266C21-18D8-414B-88C0-8DCA6C25CEA0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*41266C21-18D8-414B-88C0-8DCA6C25CEA0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0))\s*\(/Osi"; classtype:attempted-user; 12168 WEB-ACTIVEX Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp 25050 attempted-user 2007-3302 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|1|00|2|00|6|00|6|00|C|00|2|00|1|00|-|00|1|00|8|00|D|00|8|00|-|00|4|00|1|00|4|00|B|00|-|00|8|00|8|00|C|00|0|00|-|00|8|00|D|00|C|00|A|00|6|00|C|00|2|00|5|00|C|00|E|00|A|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12169 WEB-ACTIVEX Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid unicode access supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp 24653 rpc-portmap-decode 2007-2798 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 08|@"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 12185 RPC portmap 2112 tcp request web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt 24653 rpc-portmap-decode 2007-2798 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 08|@"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 12186 RPC portmap 2112 udp request web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt 25063 attempted-user 2007-4067 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E8F92847-7C21-452B-91A5-49D93AA18F30"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E8F92847-7C21-452B-91A5-49D93AA18F30\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E8F92847-7C21-452B-91A5-49D93AA18F30\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetToFile))\s*\(/si"; classtype:attempted-user; 12189 WEB-ACTIVEX Clever Internet Suite ActiveX clsid access 25063 attempted-user 2007-4067 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|8|00|F|00|9|00|2|00|8|00|4|00|7|00|-|00|7|00|C|00|2|00|1|00|-|00|4|00|5|00|2|00|B|00|-|00|9|00|1|00|A|00|5|00|-|00|4|00|9|00|D|00|9|00|3|00|A|00|A|00|1|00|8|00|F|00|3|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12190 WEB-ACTIVEX Clever Internet Suite ActiveX clsid unicode access 25063 attempted-user 2007-4067 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"clInetSuiteX6.clWebDav"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22clInetSuiteX6\.clWebDav\x22|\x27clInetSuiteX6\.clWebDav\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetToFile\s*|.*(?P=v)\s*\.\s*GetToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22clInetSuiteX6\.clWebDav\x22|\x27clInetSuiteX6\.clWebDav\x27)\s*\)(\s*\.\s*GetToFile\s*|.*(?P=n)\s*\.\s*GetToFile\s*)\s*\(/smi"; classtype:attempted-user; 12191 WEB-ACTIVEX Clever Internet Suite ActiveX function call access 25063 attempted-user 2007-4067 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"c|00|l|00|I|00|n|00|e|00|t|00|S|00|u|00|i|00|t|00|e|00|X|00|6|00|.|00|c|00|l|00|W|00|e|00|b|00|D|00|a|00|v|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)c\x00l\x00I\x00n\x00e\x00t\x00S\x00u\x00i\x00t\x00e\x00X\x006\x00.\x00c\x00l\x00W\x00e\x00b\x00D\x00a\x00v\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)c\x00l\x00I\x00n\x00e\x00t\x00S\x00u\x00i\x00t\x00e\x00X\x006\x00.\x00c\x00l\x00W\x00e\x00b\x00D\x00a\x00v\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12192 WEB-ACTIVEX Clever Internet Suite ActiveX function call unicode access 25086 attempted-user 2007-4034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7EC7B6C5-25BD-4586-A641-D2ACBB6629DD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EC7B6C5-25BD-4586-A641-D2ACBB6629DD\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetComponentVersion)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EC7B6C5-25BD-4586-A641-D2ACBB6629DD\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetComponentVersion))\s*\(/Osi"; classtype:attempted-user; 12193 WEB-ACTIVEX Yahoo Widgets Engine ActiveX clsid access help.yahoo.com/l/us/yahoo/widgets/security/security-08.html 25086 attempted-user 2007-4034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|E|00|C|00|7|00|B|00|6|00|C|00|5|00|-|00|2|00|5|00|B|00|D|00|-|00|4|00|5|00|8|00|6|00|-|00|A|00|6|00|4|00|1|00|-|00|D|00|2|00|A|00|C|00|B|00|B|00|6|00|6|00|2|00|9|00|D|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12194 WEB-ACTIVEX Yahoo Widgets Engine ActiveX clsid unicode access help.yahoo.com/l/us/yahoo/widgets/security/security-08.html 25086 attempted-user 2007-4034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YDPCTL.YDPControl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YDPCTL\.YDPControl\x22|\x27YDPCTL\.YDPControl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetComponentVersion\s*|.*(?P=v)\s*\.\s*GetComponentVersion\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YDPCTL\.YDPControl\x22|\x27YDPCTL\.YDPControl\x27)\s*\)(\s*\.\s*GetComponentVersion\s*|.*(?P=n)\s*\.\s*GetComponentVersion\s*)\s*\(/Osmi"; classtype:attempted-user; 12195 WEB-ACTIVEX Yahoo Widgets Engine ActiveX function call access help.yahoo.com/l/us/yahoo/widgets/security/security-08.html 25086 attempted-user 2007-4034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|D|00|P|00|C|00|T|00|L|00|.|00|Y|00|D|00|P|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)Y\x00D\x00P\x00C\x00T\x00L\x00.\x00Y\x00D\x00P\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)Y\x00D\x00P\x00C\x00T\x00L\x00.\x00Y\x00D\x00P\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12196 WEB-ACTIVEX Yahoo Widgets Engine ActiveX function call unicode access help.yahoo.com/l/us/yahoo/widgets/security/security-08.html 25110 attempted-user 2007-4059 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AF13B07E-28A1-4CAC-9C9A-EC582E354A24"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetLogFileName)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AF13B07E-28A1-4CAC-9C9A-EC582E354A24\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetLogFileName))\s*\(/si"; classtype:attempted-user; 12200 WEB-ACTIVEX VMWare IntraProcessLogging ActiveX clsid access 25110 attempted-user 2007-4059 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|F|00|1|00|3|00|B|00|0|00|7|00|E|00|-|00|2|00|8|00|A|00|1|00|-|00|4|00|C|00|A|00|C|00|-|00|9|00|C|00|9|00|A|00|-|00|E|00|C|00|5|00|8|00|2|00|E|00|3|00|5|00|4|00|A|00|2|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12201 WEB-ACTIVEX VMWare IntraProcessLogging ActiveX clsid unicode access 25118 attempted-user 2007-4058 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7B9C5422-39AA-4C21-BEEF-645E42EB4529"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4C21-BEEF-645E42EB4529\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(StartProcess)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7B9C5422-39AA-4C21-BEEF-645E42EB4529\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(StartProcess))\s*\(/Osi"; classtype:attempted-user; 12203 WEB-ACTIVEX VMWare Vielib.dll ActiveX clsid access 25118 attempted-user 2007-4058 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|B|00|9|00|C|00|5|00|4|00|2|00|2|00|-|00|3|00|9|00|A|00|A|00|-|00|4|00|C|00|2|00|1|00|-|00|B|00|E|00|E|00|F|00|-|00|6|00|4|00|5|00|E|00|4|00|2|00|E|00|B|00|4|00|5|00|2|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12204 WEB-ACTIVEX VMWare Vielib.dll ActiveX clsid unicode access 25118 attempted-user 2007-4058 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VieLib2.Vie2Process"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=v)\s*\.\s*StartProcess\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VieLib2\.Vie2Process\x22|\x27VieLib2\.Vie2Process\x27)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=n)\s*\.\s*StartProcess\s*)\s*\(/Osmi"; classtype:attempted-user; 12205 WEB-ACTIVEX VMWare Vielib.dll ActiveX function call access 25118 attempted-user 2007-4058 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|i|00|e|00|L|00|i|00|b|00|2|00|.|00|V|00|i|00|e|00|2|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00i\x00e\x00L\x00i\x00b\x002\x00.\x00V\x00i\x00e\x002\x00P\x00r\x00o\x00c\x00e\x00s\x00s\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12206 WEB-ACTIVEX VMWare Vielib.dll ActiveX function call unicode access 25050 attempted-user 2007-3302 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Caller.CallCode"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Caller\.CallCode\x22|\x27Caller\.CallCode\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*|.*(?P=v)\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Caller\.CallCode\x22|\x27Caller\.CallCode\x27)\s*\)(\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*|.*(?P=n)\s*\.\s*(CallDLLLong_S|CallDLLLong_S_DW_S|CallDLLLong_S_S|CallDLLLong0|CallDLLVoid_S|CallDLLVoid_S_S|CallDLLVoid0)\s*)\s*\(/Osmi"; classtype:attempted-user; 12207 WEB-ACTIVEX Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX function call access supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp 25050 attempted-user 2007-3302 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|a|00|l|00|l|00|e|00|r|00|.|00|C|00|a|00|l|00|l|00|C|00|o|00|d|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)C\x00a\x00l\x00l\x00e\x00r\x00.\x00C\x00a\x00l\x00l\x00C\x00o\x00d\x00e\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)C\x00a\x00l\x00l\x00e\x00r\x00.\x00C\x00a\x00l\x00l\x00C\x00o\x00d\x00e\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12208 WEB-ACTIVEX Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX function call unicode access supportconnectw.ca.com/public/etrust/etrust_intrusion/infodocs/eid-callervilnsecnot.asp 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0A398EE6-277C-480D-BD4F-3288EA3AB8E2"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0A398EE6-277C-480D-BD4F-3288EA3AB8E2\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AnomalyList)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0A398EE6-277C-480D-BD4F-3288EA3AB8E2\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(AnomalyList))\s*=/Osi"; classtype:attempted-user; 12246 WEB-ACTIVEX Symantec NavComUI AxSysListView32 ActiveX clsid access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|A|00|3|00|9|00|8|00|E|00|E|00|6|00|-|00|2|00|7|00|7|00|C|00|-|00|4|00|8|00|0|00|D|00|-|00|B|00|D|00|4|00|F|00|-|00|3|00|2|00|8|00|8|00|E|00|A|00|3|00|A|00|B|00|8|00|E|00|2|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12247 WEB-ACTIVEX Symantec NavComUI AxSysListView32 ActiveX clsid unicode access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NavComUI.AxSysListView32"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NavComUI\.AxSysListView32\x22|\x27NavComUI\.AxSysListView32\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AnomalyList\s*|.*(?P=v)\s*\.\s*AnomalyList\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NavComUI\.AxSysListView32\x22|\x27NavComUI\.AxSysListView32\x27)\s*\)(\s*\.\s*AnomalyList\s*|.*(?P=n)\s*\.\s*AnomalyList)\s*=/Osmi"; classtype:attempted-user; 12248 WEB-ACTIVEX Symantec NavComUI AxSysListView32 ActiveX function call access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|a|00|v|00|C|00|o|00|m|00|U|00|I|00|.|00|A|00|x|00|S|00|y|00|s|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|3|00|2|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12249 WEB-ACTIVEX Symantec NavComUI AxSysListView32 ActiveX function call unicode access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FAF02D9B-963D-43D8-91A6-E71383503FDA"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAF02D9B-963D-43D8-91A6-E71383503FDA\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Anomaly)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FAF02D9B-963D-43D8-91A6-E71383503FDA\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Anomaly))\s*=/Osi"; classtype:attempted-user; 12250 WEB-ACTIVEX Symantec NavComUI AxSysListView32OAA ActiveX clsid access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|A|00|F|00|0|00|2|00|D|00|9|00|B|00|-|00|9|00|6|00|3|00|D|00|-|00|4|00|3|00|D|00|8|00|-|00|9|00|1|00|A|00|6|00|-|00|E|00|7|00|1|00|3|00|8|00|3|00|5|00|0|00|3|00|F|00|D|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12251 WEB-ACTIVEX Symantec NavComUI AxSysListView32OAA ActiveX clsid unicode access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NavComUI.AxSysListView32OAA"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NavComUI\.AxSysListView32OAA\x22|\x27NavComUI\.AxSysListView32OAA\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Anomaly\s*|.*(?P=v)\s*\.\s*Anomaly\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NavComUI\.AxSysListView32OAA\x22|\x27NavComUI\.AxSysListView32OAA\x27)\s*\)(\s*\.\s*Anomaly\s*|.*(?P=n)\s*\.\s*Anomaly)\s*=/smi"; classtype:attempted-user; 12252 WEB-ACTIVEX Symantec NavComUI AxSysListView32OAA ActiveX function call access www.symantec.com/avcenter/security/Content/2007.08.09.html 24983 attempted-user 2007-2955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|a|00|v|00|C|00|o|00|m|00|U|00|I|00|.|00|A|00|x|00|S|00|y|00|s|00|L|00|i|00|s|00|t|00|V|00|i|00|e|00|w|00|3|00|2|00|O|00|A|00|A|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00O\x00A\x00A\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)N\x00a\x00v\x00C\x00o\x00m\x00U\x00I\x00.\x00A\x00x\x00S\x00y\x00s\x00L\x00i\x00s\x00t\x00V\x00i\x00e\x00w\x003\x002\x00O\x00A\x00A\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12253 WEB-ACTIVEX Symantec NavComUI AxSysListView32OAA ActiveX function call unicode access www.symantec.com/avcenter/security/Content/2007.08.09.html 25279 attempted-user 2007-4336 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"201EA564-A6F6-11D1-811D-00C04FB6BD36"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*201EA564-A6F6-11D1-811D-00C04FB6BD36\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SourceUrl)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*201EA564-A6F6-11D1-811D-00C04FB6BD36\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(SourceUrl))\s*=/si"; classtype:attempted-user; 12257 WEB-ACTIVEX Microsoft DirectX Media SDK ActiveX clsid access 25279 attempted-user 2007-4336 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|0|00|1|00|E|00|A|00|5|00|6|00|4|00|-|00|A|00|6|00|F|00|6|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|1|00|1|00|D|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|B|00|6|00|B|00|D|00|3|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12258 WEB-ACTIVEX Microsoft DirectX Media SDK ActiveX clsid unicode access 25279 attempted-user 2007-4336 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DXSurface.LivePicture.FlashPix"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DXSurface\.LivePicture\.FlashPix\x22|\x27DXSurface\.LivePicture\.FlashPix\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SourceUrl\s*|.*(?P=v)\s*\.\s*SourceUrl\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DXSurface\.LivePicture\.FlashPix\x22|\x27DXSurface\.LivePicture\.FlashPix\x27)\s*\)(\s*\.\s*SourceUrl\s*|.*(?P=n)\s*\.\s*SourceUrl)\s*=/smi"; classtype:attempted-user; 12259 WEB-ACTIVEX Microsoft DirectX Media SDK ActiveX function call access 25279 attempted-user 2007-4336 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|X|00|S|00|u|00|r|00|f|00|a|00|c|00|e|00|.|00|L|00|i|00|v|00|e|00|P|00|i|00|c|00|t|00|u|00|r|00|e|00|.|00|F|00|l|00|a|00|s|00|h|00|P|00|i|00|x|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)D\x00X\x00S\x00u\x00r\x00f\x00a\x00c\x00e\x00.\x00L\x00i\x00v\x00e\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00.\x00F\x00l\x00a\x00s\x00h\x00P\x00i\x00x\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)D\x00X\x00S\x00u\x00r\x00f\x00a\x00c\x00e\x00.\x00L\x00i\x00v\x00e\x00P\x00i\x00c\x00t\x00u\x00r\x00e\x00.\x00F\x00l\x00a\x00s\x00h\x00P\x00i\x00x\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12260 WEB-ACTIVEX Microsoft DirectX Media SDK ActiveX function call unicode access attempted-user 2007-0943 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Content-Type|3A| text/css"; fast_pattern; nocase; http_header; pcre:!"/^Content-encoding\x3A\s*(gzip|compress)/Him"; pcre:"/\x7D\s*\/[^\/\x2A]/H"; metadata:service http; classtype:attempted-user; 12277 EXPLOIT Microsoft IE CSS memory corruption exploit www.microsoft.com/technet/security/bulletin/ms07-045.mspx 25383 attempted-user 2007-4489 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BD80D375-5439-4D80-B128-DDA5FDC3AE6C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BD80D375-5439-4D80-B128-DDA5FDC3AE6C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ReInit)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BD80D375-5439-4D80-B128-DDA5FDC3AE6C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(ReInit))\s*\(/si"; classtype:attempted-user; 12301 WEB-ACTIVEX eCentrex VOIP Client Module ActiveX clsid access www.e800phone.com 25383 attempted-user 2007-4489 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|D|00|8|00|0|00|D|00|3|00|7|00|5|00|-|00|5|00|4|00|3|00|9|00|-|00|4|00|D|00|8|00|0|00|-|00|B|00|1|00|2|00|8|00|-|00|D|00|D|00|A|00|5|00|F|00|D|00|C|00|3|00|A|00|E|00|6|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12302 WEB-ACTIVEX eCentrex VOIP Client Module ActiveX clsid unicode access www.e800phone.com 25473 attempted-user 2007-4467 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9b935470-ad4a-11d5-b63e-00c04faedb18"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*9b935470-ad4a-11d5-b63e-00c04faedb18\s*}?\s*(?P=q1)(\s|>)/si"; classtype:attempted-user; 12380 WEB-ACTIVEX Oracle JInitiator ActiveX clsid access 25473 attempted-user 2007-4467 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|b|00|9|00|3|00|5|00|4|00|7|00|0|00|-|00|a|00|d|00|4|00|a|00|-|00|1|00|1|00|d|00|5|00|-|00|b|00|6|00|3|00|e|00|-|00|0|00|0|00|c|00|0|00|4|00|f|00|a|00|e|00|d|00|b|00|1|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12381 WEB-ACTIVEX Oracle JInitiator ActiveX clsid unicode access 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9\s*}?\s*(?P=q3)(\s|>).*(?P=id1)\s*\.\s*(SubmitToExpress)|<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9\s*}?\s*(?P=q4)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SubmitToExpress))\s*\(/si"; classtype:attempted-user; 12382 WEB-ACTIVEX EasyMail Objects ActiveX clsid access 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|8|00|A|00|C|00|0|00|D|00|5|00|F|00|-|00|0|00|4|00|2|00|4|00|-|00|1|00|1|00|D|00|5|00|-|00|8|00|2|00|2|00|F|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|6|00|B|00|A|00|8|00|D|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q5>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12383 WEB-ACTIVEX EasyMail Objects ActiveX clsid unicode access 25494 attempted-user 2007-4515 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D5184A39-CBDF-4A4F-AC1A-7A45A852C883"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D5184A39-CBDF-4A4F-AC1A-7A45A852C883\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(fvCom|info)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D5184A39-CBDF-4A4F-AC1A-7A45A852C883\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(fvCom|info))\s*\(/siO"; classtype:attempted-user; 12384 WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX clsid access messenger.yahoo.com/security_update.php?id=082907 25494 attempted-user 2007-4515 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|5|00|1|00|8|00|4|00|A|00|3|00|9|00|-|00|C|00|B|00|D|00|F|00|-|00|4|00|A|00|4|00|F|00|-|00|A|00|C|00|1|00|A|00|-|00|7|00|A|00|4|00|5|00|A|00|8|00|5|00|2|00|C|00|8|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12385 WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX clsid unicode access messenger.yahoo.com/security_update.php?id=082907 25494 attempted-user 2007-4515 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"YVerInfo.GetInfo"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22YVerInfo\.GetInfo\x22|\x27YVerInfo\.GetInfo\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(fvCom|info)\s*|.*(?P=v)\s*\.\s*(fvCom|info)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22YVerInfo\.GetInfo\x22|\x27YVerInfo\.GetInfo\x27)\s*\)(\s*\.\s*(fvCom|info)\s*|.*(?P=n)\s*\.\s*(fvCom|info)\s*)\s*\(/siO"; classtype:attempted-user; 12386 WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX function call access messenger.yahoo.com/security_update.php?id=082907 25494 attempted-user 2007-4515 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Y|00|V|00|e|00|r|00|I|00|n|00|f|00|o|00|.|00|G|00|e|00|t|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)Y\x00V\x00e\x00r\x00I\x00n\x00f\x00o\x00.\x00G\x00e\x00t\x00I\x00n\x00f\x00o\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)Y\x00V\x00e\x00r\x00I\x00n\x00f\x00o\x00.\x00G\x00e\x00t\x00I\x00n\x00f\x00o\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/siO"; classtype:attempted-user; 12387 WEB-ACTIVEX Yahoo Messenger YVerInfo ActiveX function call unicode access messenger.yahoo.com/security_update.php?id=082907 25502 attempted-user 2007-4748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EC7C511-CD0F-42E6-830C-1BD9882F3458\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Logo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5EC7C511-CD0F-42E6-830C-1BD9882F3458\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Logo))\s*=/si"; classtype:attempted-user; 12388 WEB-ACTIVEX PPStream PowerPlayer ActiveX clsid access 25502 attempted-user 2007-4748 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|E|00|C|00|7|00|C|00|5|00|1|00|1|00|-|00|C|00|D|00|0|00|F|00|-|00|4|00|2|00|E|00|6|00|-|00|8|00|3|00|0|00|C|00|-|00|1|00|B|00|D|00|9|00|8|00|8|00|2|00|F|00|3|00|4|00|5|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12389 WEB-ACTIVEX PPStream PowerPlayer ActiveX clsid unicode access 25584 attempted-user 2007-4470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8EC18CE2-D7B4-11D2-88C8-006008A717FD"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8EC18CE2-D7B4-11D2-88C8-006008A717FD\s*}?\s*(?P=q1)(\s|>)/si"; classtype:attempted-user; 12413 WEB-ACTIVEX Earth Resource Mapper NCSView ActiveX clsid access 25584 attempted-user 2007-4470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|E|00|C|00|1|00|8|00|C|00|E|00|2|00|-|00|D|00|7|00|B|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|8|00|8|00|C|00|8|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|A|00|7|00|1|00|7|00|F|00|D|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12414 WEB-ACTIVEX Earth Resource Mapper NCSView ActiveX clsid unicode access 25584 attempted-user 2007-4470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NCSViewManager.NCSView"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NCSViewManager\.NCSView\x22|\x27NCSViewManager\.NCSView\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NCSViewManager\.NCSView\x22|\x27NCSViewManager\.NCSView\x27)\s*\)/smi"; classtype:attempted-user; 12415 WEB-ACTIVEX Earth Resource Mapper NCSView ActiveX function call access 25584 attempted-user 2007-4470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|C|00|S|00|V|00|i|00|e|00|w|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|.|00|N|00|C|00|S|00|V|00|i|00|e|00|w|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)N\x00C\x00S\x00V\x00i\x00e\x00w\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00.\x00N\x00C\x00S\x00V\x00i\x00e\x00w\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)N\x00C\x00S\x00V\x00i\x00e\x00w\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00.\x00N\x00C\x00S\x00V\x00i\x00e\x00w\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12416 WEB-ACTIVEX Earth Resource Mapper NCSView ActiveX function call unicode access 25586 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetClientInfo)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetClientInfo))\s*\(/si"; classtype:attempted-user; 12428 WEB-ACTIVEX GlobalLink glitemflat.dll ActiveX clsid access 25586 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|D|00|1|00|4|00|2|00|5|00|D|00|4|00|-|00|E|00|2|00|F|00|C|00|-|00|4|00|A|00|5|00|2|00|-|00|B|00|D|00|A|00|9|00|-|00|B|00|9|00|D|00|C|00|A|00|C|00|5|00|E|00|F|00|5|00|7|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12429 WEB-ACTIVEX GlobalLink glitemflat.dll ActiveX clsid unicode access 25601 attempted-user 2009-1612 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB\s*}?\s*(?P=q4)(\s|>).*(?P=id1)\s*\.\s*(advancedOpen|backImage|isDVDPath|rawParse|titleImage|URL|OnBeforeVideoDownload)|<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB\s*}?\s*(?P=q5)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(advancedOpen|backImage|isDVDPath|rawParse|titleImage|URL|OnBeforeVideoDownload))\s*\(/siO"; classtype:attempted-user; 12434 WEB-ACTIVEX BaoFeng Storm MPS.dll ActiveX clsid access 25601 attempted-user 2009-1612 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|B|00|E|00|5|00|2|00|E|00|1|00|D|00|-|00|E|00|5|00|8|00|6|00|-|00|4|00|7|00|4|00|F|00|-|00|A|00|6|00|E|00|2|00|-|00|1|00|A|00|8|00|5|00|A|00|9|00|B|00|4|00|D|00|9|00|F|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; classtype:attempted-user; 12435 WEB-ACTIVEX BaoFeng Storm MPS.dll ActiveX clsid unicode access 25609 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"09C282FE-7DE7-4697-9BE2-1C4F4DA825B3"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*09C282FE-7DE7-4697-9BE2-1C4F4DA825B3\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AcquireContext)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*09C282FE-7DE7-4697-9BE2-1C4F4DA825B3\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AcquireContext))\s*\(/si"; classtype:attempted-user; 12438 WEB-ACTIVEX Ultra Crypto Component CryptoX.dll ActiveX clsid access www.ultrashareware.com/Ultra-Crypto-Component.htm 25609 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|9|00|C|00|2|00|8|00|2|00|F|00|E|00|-|00|7|00|D|00|E|00|7|00|-|00|4|00|6|00|9|00|7|00|-|00|9|00|B|00|E|00|2|00|-|00|1|00|C|00|4|00|F|00|4|00|D|00|A|00|8|00|2|00|5|00|B|00|3|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12439 WEB-ACTIVEX Ultra Crypto Component CryptoX.dll ActiveX clsid unicode access www.ultrashareware.com/Ultra-Crypto-Component.htm 25609 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CryptoX.CryptoObj"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22CryptoX\.CryptoObj\x22|\x27CryptoX\.CryptoObj\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AcquireContext\s*|.*(?P=v)\s*\.\s*AcquireContext\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22CryptoX\.CryptoObj\x22|\x27CryptoX\.CryptoObj\x27)\s*\)(\s*\.\s*AcquireContext\s*|.*(?P=n)\s*\.\s*AcquireContext\s*)\s*\(/smi"; classtype:attempted-user; 12440 WEB-ACTIVEX Ultra Crypto Component CryptoX.dll ActiveX function call access www.ultrashareware.com/Ultra-Crypto-Component.htm 25609 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|r|00|y|00|p|00|t|00|o|00|X|00|.|00|C|00|r|00|y|00|p|00|t|00|o|00|O|00|b|00|j|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)C\x00r\x00y\x00p\x00t\x00o\x00X\x00.\x00C\x00r\x00y\x00p\x00t\x00o\x00O\x00b\x00j\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)C\x00r\x00y\x00p\x00t\x00o\x00X\x00.\x00C\x00r\x00y\x00p\x00t\x00o\x00O\x00b\x00j\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12441 WEB-ACTIVEX Ultra Crypto Component CryptoX.dll ActiveX function call unicode access www.ultrashareware.com/Ultra-Crypto-Component.htm 25611 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FD22F3AE-1450-4BDC-ADBE-6AF210A78C2C\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; classtype:attempted-user; 12442 WEB-ACTIVEX Ultra Crypto Component CryptoX.dll 2 ActiveX clsid access www.ultrashareware.com/Ultra-Crypto-Component.htm 25611 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|D|00|2|00|2|00|F|00|3|00|A|00|E|00|-|00|1|00|4|00|5|00|0|00|-|00|4|00|B|00|D|00|C|00|-|00|A|00|D|00|B|00|E|00|-|00|6|00|A|00|F|00|2|00|1|00|0|00|A|00|7|00|8|00|C|00|2|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12443 WEB-ACTIVEX Ultra Crypto Component CryptoX.dll 2 ActiveX clsid unicode access www.ultrashareware.com/Ultra-Crypto-Component.htm 25566 attempted-user 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D45FD31B-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Characters.Load)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Characters.Load))\s*\(/Osi"; classtype:attempted-user; 12448 WEB-ACTIVEX Microsoft Agent Control ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-051.mspx 25566 attempted-user 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|1|00|B|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12449 WEB-ACTIVEX Microsoft Agent Control ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-051.mspx 25566 attempted-user 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Agent.Control"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Agent\.Control\x22|\x27Agent\.Control\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Characters.Load\s*|.*(?P=v)\s*\.\s*Characters.Load\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Agent\.Control\x22|\x27Agent\.Control\x27)\s*\)(\s*\.\s*Characters.Load\s*|.*(?P=n)\s*\.\s*Characters.Load\s*)\s*\(/Osmi"; classtype:attempted-user; 12450 WEB-ACTIVEX Microsoft Agent Control ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-051.mspx 25566 attempted-user 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|g|00|e|00|n|00|t|00|.|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00g\x00e\x00n\x00t\x00.\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12451 WEB-ACTIVEX Microsoft Agent Control ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-051.mspx 25566 attempted-user 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D45FD300-5C6E-11D1-9EC1-00C04FD7081F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD300-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(Characters.Load)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D45FD300-5C6E-11D1-9EC1-00C04FD7081F\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(Characters.Load))\s*\(/Osi"; classtype:attempted-user; 12452 WEB-ACTIVEX MS Agent File Provider ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-051.mspx 25566 attempted-user 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|4|00|5|00|F|00|D|00|3|00|0|00|0|00|-|00|5|00|C|00|6|00|E|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|E|00|C|00|1|00|-|00|0|00|0|00|C|00|0|00|4|00|F|00|D|00|7|00|0|00|8|00|1|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12453 WEB-ACTIVEX MS Agent File Provider ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-051.mspx 8615 rpc-portmap-decode 2003-0722 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; 12458 RPC portmap Solaris sadmin port query tcp request 25638 attempted-user 2007-4891 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0DDF3C0B-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3C0B-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(StartProcess)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3C0B-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(StartProcess))\s*\(/si"; classtype:attempted-user; 12459 WEB-ACTIVEX Microsoft Visual Studio 6 PDWizard.ocx ActiveX clsid access 25638 attempted-user 2007-4891 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|D|00|D|00|F|00|3|00|C|00|0|00|B|00|-|00|E|00|6|00|9|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|B|00|0|00|6|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12460 WEB-ACTIVEX Microsoft Visual Studio 6 PDWizard.ocx ActiveX clsid unicode access 25635 attempted-user 2007-4890 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7EEA39E3-41D1-11D2-AB3B-00AA00BDD685"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q4>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7EEA39E3-41D1-11D2-AB3B-00AA00BDD685\s*}?\s*(?P=q4)(\s|>)/si"; classtype:attempted-user; 12461 WEB-ACTIVEX Microsoft Visual Studio 6 VBTOVSI.dll ActiveX clsid access 25635 attempted-user 2007-4890 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|E|00|E|00|A|00|3|00|9|00|E|00|3|00|-|00|4|00|1|00|D|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|A|00|B|00|3|00|B|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q5>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q5)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12462 WEB-ACTIVEX Microsoft Visual Studio 6 VBTOVSI.dll ActiveX clsid unicode access 25723 attempted-user 2007-4983 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8D1636FD-CA49-4B4E-90E4-0A20E03A15E8"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8D1636FD-CA49-4B4E-90E4-0A20E03A15E8\s*}?\s*(?P=q1)(\s|>)/si"; classtype:attempted-user; 12468 WEB-ACTIVEX COWON America JetAudio JetFlExt.dll ActiveX clsid access 25723 attempted-user 2007-4983 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|D|00|1|00|6|00|3|00|6|00|F|00|D|00|-|00|C|00|A|00|4|00|9|00|-|00|4|00|B|00|4|00|E|00|-|00|9|00|0|00|E|00|4|00|-|00|0|00|A|00|2|00|0|00|E|00|0|00|3|00|A|00|1|00|5|00|E|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12469 WEB-ACTIVEX COWON America JetAudio JetFlExt.dll ActiveX clsid unicode access 25723 attempted-user 2007-4983 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"JetAudio.Interface"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22JetAudio\.Interface\x22|\x27JetAudio\.Interface\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JetAudio\.Interface\x22|\x27JetAudio\.Interface\x27)\s*\)/smi"; classtype:attempted-user; 12470 WEB-ACTIVEX COWON America JetAudio JetFlExt.dll ActiveX function call access 25723 attempted-user 2007-4983 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"J|00|e|00|t|00|A|00|u|00|d|00|i|00|o|00|.|00|I|00|n|00|t|00|e|00|r|00|f|00|a|00|c|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)J\x00e\x00t\x00A\x00u\x00d\x00i\x00o\x00.\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)J\x00e\x00t\x00A\x00u\x00d\x00i\x00o\x00.\x00I\x00n\x00t\x00e\x00r\x00f\x00a\x00c\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12471 WEB-ACTIVEX COWON America JetAudio JetFlExt.dll ActiveX function call unicode access 25727 attempted-user 2007-5017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"24F3EAD6-8B87-4C1A-97DA-71C126BDA08F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24F3EAD6-8B87-4C1A-97DA-71C126BDA08F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*24F3EAD6-8B87-4C1A-97DA-71C126BDA08F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetFile))\s*\(/si"; classtype:attempted-user; 12476 WEB-ACTIVEX Yahoo Messenger CYFT ActiveX clsid access 25727 attempted-user 2007-5017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|4|00|F|00|3|00|E|00|A|00|D|00|6|00|-|00|8|00|B|00|8|00|7|00|-|00|4|00|C|00|1|00|A|00|-|00|9|00|7|00|D|00|A|00|-|00|7|00|1|00|C|00|1|00|2|00|6|00|B|00|D|00|A|00|0|00|8|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12477 WEB-ACTIVEX Yahoo Messenger CYFT ActiveX clsid unicode access 25727 attempted-user 2007-5017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ft60.YFT"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ft60\.YFT\x22|\x27ft60\.YFT\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*GetFile\s*|.*(?P=v)\s*\.\s*GetFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ft60\.YFT\x22|\x27ft60\.YFT\x27)\s*\)(\s*\.\s*GetFile\s*|.*(?P=n)\s*\.\s*GetFile\s*)\s*\(/smi"; classtype:attempted-user; 12478 WEB-ACTIVEX Yahoo Messenger CYFT ActiveX function call access 25727 attempted-user 2007-5017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"f|00|t|00|6|00|0|00|.|00|Y|00|F|00|T|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)f\x00t\x006\x000\x00.\x00Y\x00F\x00T\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)f\x00t\x006\x000\x00.\x00Y\x00F\x00T\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12479 WEB-ACTIVEX Yahoo Messenger CYFT ActiveX function call unicode access 25751 attempted-user 2007-5064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EEDD6FF9-13DE-496B-9A1C-D78B3215E266"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EEDD6FF9-13DE-496B-9A1C-D78B3215E266\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DownURL2)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EEDD6FF9-13DE-496B-9A1C-D78B3215E266\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DownURL2))\s*\(/si"; classtype:attempted-user; 12598 WEB-ACTIVEX Xunlei Web Thunder ActiveX clsid access 25751 attempted-user 2007-5064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|E|00|D|00|D|00|6|00|F|00|F|00|9|00|-|00|1|00|3|00|D|00|E|00|-|00|4|00|9|00|6|00|B|00|-|00|9|00|A|00|1|00|C|00|-|00|D|00|7|00|8|00|B|00|3|00|2|00|1|00|5|00|E|00|2|00|6|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12599 WEB-ACTIVEX Xunlei Web Thunder ActiveX clsid unicode access 25789 attempted-user 2007-5111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddString)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddString))\s*\(/si"; classtype:attempted-user; 12600 WEB-ACTIVEX ebCrypt IncrementalHash ActiveX clsid access 25789 attempted-user 2007-5111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|C|00|3|00|4|00|E|00|A|00|C|00|7|00|-|00|9|00|9|00|0|00|4|00|-|00|4|00|4|00|1|00|5|00|-|00|B|00|B|00|E|00|4|00|-|00|8|00|2|00|A|00|A|00|8|00|C|00|0|00|C|00|0|00|B|00|E|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12601 WEB-ACTIVEX ebCrypt IncrementalHash ActiveX clsid unicode access 25789 attempted-user 2007-5111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EbCrypt.eb_c_IncrementalHash"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22EbCrypt\.eb_c_IncrementalHash\x22|\x27EbCrypt\.eb_c_IncrementalHash\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddString\s*|.*(?P=v)\s*\.\s*AddString\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EbCrypt\.eb_c_IncrementalHash\x22|\x27EbCrypt\.eb_c_IncrementalHash\x27)\s*\)(\s*\.\s*AddString\s*|.*(?P=n)\s*\.\s*AddString\s*)\s*\(/smi"; classtype:attempted-user; 12602 WEB-ACTIVEX ebCrypt IncrementalHash ActiveX function call access 25789 attempted-user 2007-5111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|b|00|C|00|r|00|y|00|p|00|t|00|.|00|e|00|b|00|_|00|c|00|_|00|I|00|n|00|c|00|r|00|e|00|m|00|e|00|n|00|t|00|a|00|l|00|H|00|a|00|s|00|h|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00I\x00n\x00c\x00r\x00e\x00m\x00e\x00n\x00t\x00a\x00l\x00H\x00a\x00s\x00h\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00I\x00n\x00c\x00r\x00e\x00m\x00e\x00n\x00t\x00a\x00l\x00H\x00a\x00s\x00h\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12603 WEB-ACTIVEX ebCrypt IncrementalHash ActiveX function call unicode access 25787 attempted-user 2007-5110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B1E7505E-BBFD-42BF-98C9-602205A1504C\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(SaveToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B1E7505E-BBFD-42BF-98C9-602205A1504C\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(SaveToFile))\s*\(/si"; classtype:attempted-user; 12604 WEB-ACTIVEX ebCrypt PRNGenerator ActiveX clsid access 25787 attempted-user 2007-5110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|1|00|E|00|7|00|5|00|0|00|5|00|E|00|-|00|B|00|B|00|F|00|D|00|-|00|4|00|2|00|B|00|F|00|-|00|9|00|8|00|C|00|9|00|-|00|6|00|0|00|2|00|2|00|0|00|5|00|A|00|1|00|5|00|0|00|4|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12605 WEB-ACTIVEX ebCrypt PRNGenerator ActiveX clsid unicode access 25787 attempted-user 2007-5110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EbCrypt.eb_c_PRNGenerator"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22EbCrypt\.eb_c_PRNGenerator\x22|\x27EbCrypt\.eb_c_PRNGenerator\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=v)\s*\.\s*SaveToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EbCrypt\.eb_c_PRNGenerator\x22|\x27EbCrypt\.eb_c_PRNGenerator\x27)\s*\)(\s*\.\s*SaveToFile\s*|.*(?P=n)\s*\.\s*SaveToFile\s*)\s*\(/smi"; classtype:attempted-user; 12606 WEB-ACTIVEX ebCrypt PRNGenerator ActiveX function call access 25787 attempted-user 2007-5110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|b|00|C|00|r|00|y|00|p|00|t|00|.|00|e|00|b|00|_|00|c|00|_|00|P|00|R|00|N|00|G|00|e|00|n|00|e|00|r|00|a|00|t|00|o|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00P\x00R\x00N\x00G\x00e\x00n\x00e\x00r\x00a\x00t\x00o\x00r\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)E\x00b\x00C\x00r\x00y\x00p\x00t\x00.\x00e\x00b\x00_\x00c\x00_\x00P\x00R\x00N\x00G\x00e\x00n\x00e\x00r\x00a\x00t\x00o\x00r\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12607 WEB-ACTIVEX ebCrypt PRNGenerator ActiveX function call unicode access 4639 rpc-portmap-decode 2002-0573 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 12608 RPC portmap walld udp request 4639 rpc-portmap-decode 2002-0573 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%"; metadata:service sunrpc; classtype:rpc-portmap-decode; 12609 RPC portmap walld udp format string attack attempt 25638 attempted-user 2007-4891 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PDWizard.PublicTools"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PDWizard\.PublicTools\x22|\x27PDWizard\.PublicTools\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=v)\s*\.\s*StartProcess\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.PublicTools\x22|\x27PDWizard\.PublicTools\x27)\s*\)(\s*\.\s*StartProcess\s*|.*(?P=n)\s*\.\s*StartProcess\s*)\s*\(/smi"; classtype:attempted-user; 12616 WEB-ACTIVEX Microsoft Visual Studio 6 PDWizard.ocx ActiveX function call access 25638 attempted-user 2007-4891 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|D|00|W|00|i|00|z|00|a|00|r|00|d|00|.|00|P|00|u|00|b|00|l|00|i|00|c|00|T|00|o|00|o|00|l|00|s|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00P\x00u\x00b\x00l\x00i\x00c\x00T\x00o\x00o\x00l\x00s\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00P\x00u\x00b\x00l\x00i\x00c\x00T\x00o\x00o\x00l\x00s\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12617 WEB-ACTIVEX Microsoft Visual Studio 6 PDWizard.ocx ActiveX function call unicode access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1262 RPC portmap admind request TCP 8615 rpc-portmap-decode 2003-0722 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; 12626 RPC portmap Solaris sadmin port query udp request 8615 rpc-portmap-decode 2003-0722 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; classtype:rpc-portmap-decode; 12627 RPC portmap Solaris sadmin port query tcp portmapper sadmin port query attempt 8615 rpc-portmap-decode 2003-0722 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; classtype:rpc-portmap-decode; 12628 RPC portmap Solaris sadmin port query udp portmapper sadmin port query attempt 614 rpc-portmap-decode 1999-0704 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1263 RPC portmap amountd request TCP attempted-user 2007-2217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|0D 0A FF D8|"; content:"|FF DB|"; distance:0; byte_test:2, =, 0, 2, relative; classtype:attempted-user; 12631 EXPLOIT Microsoft Kodak Imaging small offset malformed jpeg tables www.microsoft.com/technet/security/Bulletin/MS07-055.mspx attempted-user 2007-2217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|0D 0A FF D8|"; content:"|FF DB|"; distance:0; byte_test:2, >, 32767, 2, relative; classtype:attempted-user; 12632 EXPLOIT Microsoft Kodak Imaging large offset malformed jpeg tables www.microsoft.com/technet/security/Bulletin/MS07-055.mspx denial-of-service 2007-2228 tcp $EXTERNAL_NET any -> $HOME_NET 135 flow:established,to_server; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; classtype:denial-of-service; 12635 DOS RPC NTLMSSP malformed credentials www.microsoft.com/technet/security/bulletin/ms07-058.mspx 26004 attempted-user 2007-3675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75\s*}?\s*(?P=q1)(\s|>)/si"; classtype:attempted-user; 12637 WEB-ACTIVEX Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid access 26004 attempted-user 2007-3675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|E|00|B|00|0|00|E|00|7|00|4|00|A|00|-|00|2|00|A|00|7|00|6|00|-|00|4|00|A|00|B|00|3|00|-|00|A|00|7|00|F|00|B|00|-|00|9|00|B|00|D|00|8|00|C|00|2|00|9|00|F|00|7|00|F|00|7|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12638 WEB-ACTIVEX Kaspersky Online Scanner KAVWebScan.dll ActiveX clsid unicode access 26004 attempted-user 2007-3675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"kavwebscan.CKAVWebScan"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22kavwebscan\.CKAVWebScan\x22|\x27kavwebscan\.CKAVWebScan\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22kavwebscan\.CKAVWebScan\x22|\x27kavwebscan\.CKAVWebScan\x27)\s*\)/smi"; classtype:attempted-user; 12639 WEB-ACTIVEX Kaspersky Online Scanner KAVWebScan.dll ActiveX function call access rpc-portmap-decode 1999-0647 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1264 RPC portmap bootparam request TCP 26004 attempted-user 2007-3675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"k|00|a|00|v|00|w|00|e|00|b|00|s|00|c|00|a|00|n|00|.|00|C|00|K|00|A|00|V|00|W|00|e|00|b|00|S|00|c|00|a|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)k\x00a\x00v\x00w\x00e\x00b\x00s\x00c\x00a\x00n\x00.\x00C\x00K\x00A\x00V\x00W\x00e\x00b\x00S\x00c\x00a\x00n\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)k\x00a\x00v\x00w\x00e\x00b\x00s\x00c\x00a\x00n\x00.\x00C\x00K\x00A\x00V\x00W\x00e\x00b\x00S\x00c\x00a\x00n\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12640 WEB-ACTIVEX Kaspersky Online Scanner KAVWebScan.dll ActiveX function call unicode access denial-of-service 2007-2228 udp $EXTERNAL_NET any -> $HOME_NET 135 flow:established,to_server; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; classtype:denial-of-service; 12642 DOS RPC NTLMSSP malformed credentials www.microsoft.com/technet/security/bulletin/ms07-058.mspx 26058 attempted-user 2007-5446 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"30C0FDCB-53BE-4DB3-869D-32BF2DAD0DEC"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*30C0FDCB-53BE-4DB3-869D-32BF2DAD0DEC\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*SaveSenderToXML|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*30C0FDCB-53BE-4DB3-869D-32BF2DAD0DEC\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.SaveSenderToXML)\s*\(/si"; classtype:attempted-user; 12644 WEB-ACTIVEX PBEmail7 ActiveX clsid access 26058 attempted-user 2007-5446 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|0|00|C|00|0|00|F|00|D|00|C|00|B|00|-|00|5|00|3|00|B|00|E|00|-|00|4|00|D|00|B|00|3|00|-|00|8|00|6|00|9|00|D|00|-|00|3|00|2|00|B|00|F|00|2|00|D|00|A|00|D|00|0|00|D|00|E|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12645 WEB-ACTIVEX PBEmail7 ActiveX clsid unicode access 26058 attempted-user 2007-5446 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PBEmail7.EmailSender"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PBEmail7\.EmailSender\x22|\x27PBEmail7\.EmailSender\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SaveSenderToXML\s*|.*(?P=v)\s*\.\s*SaveSenderToXML\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PBEmail7\.EmailSender\x22|\x27PBEmail7\.EmailSender\x27)\s*\)(\s*\.\s*SaveSenderToXML\s*|.*(?P=n)\s*\.\s*SaveSenderToXML\s*)\s*\(/smi"; classtype:attempted-user; 12646 WEB-ACTIVEX PBEmail7 ActiveX function call access 26058 attempted-user 2007-5446 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|B|00|E|00|m|00|a|00|i|00|l|00|7|00|.|00|E|00|m|00|a|00|i|00|l|00|S|00|e|00|n|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)P\x00B\x00E\x00m\x00a\x00i\x00l\x007\x00.\x00E\x00m\x00a\x00i\x00l\x00S\x00e\x00n\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)P\x00B\x00E\x00m\x00a\x00i\x00l\x007\x00.\x00E\x00m\x00a\x00i\x00l\x00S\x00e\x00n\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12647 WEB-ACTIVEX PBEmail7 ActiveX function call unicode access 26064 attempted-user 2007-5445 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7600707B-9F47-416D-8AB5-6FD96EA37968\s*}?\s*(?P=q6)(\s|>)/si"; classtype:attempted-user; 12648 WEB-ACTIVEX DB Software Laboratory VImpX ActiveX clsid access 26064 attempted-user 2007-5445 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|6|00|0|00|0|00|7|00|0|00|7|00|B|00|-|00|9|00|F|00|4|00|7|00|-|00|4|00|1|00|6|00|D|00|-|00|8|00|A|00|B|00|5|00|-|00|6|00|F|00|D|00|9|00|6|00|E|00|A|00|3|00|7|00|9|00|6|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q7>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12649 WEB-ACTIVEX DB Software Laboratory VImpX ActiveX clsid unicode access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1265 RPC portmap cmsd request TCP 26064 attempted-user 2007-5445 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VImpX.VImpAX"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VImpX\.VImpAX\x22|\x27VImpX\.VImpAX\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VImpX\.VImpAX\x22|\x27VImpX\.VImpAX\x27)\s*\)/smi"; classtype:attempted-user; 12650 WEB-ACTIVEX DB Software Laboratory VImpX ActiveX function call access 26064 attempted-user 2007-5445 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|I|00|m|00|p|00|X|00|.|00|V|00|I|00|m|00|p|00|A|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q8>\x22|\x27|)V\x00I\x00m\x00p\x00X\x00.\x00V\x00I\x00m\x00p\x00A\x00X\x00(?P=q8)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q9>\x22|\x27|)V\x00I\x00m\x00p\x00X\x00.\x00V\x00I\x00m\x00p\x00A\x00X\x00(?P=q9)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12651 WEB-ACTIVEX DB Software Laboratory VImpX ActiveX function call unicode access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1267 RPC portmap nisd request TCP 4816 rpc-portmap-decode 2002-0910 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1268 RPC portmap pcnfsd request TCP 26244 attempted-user 2007-5722 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AE93C5DF-A990-11D1-AEBD-5254ABDD2B69"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ConnectAndEnterRoom)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(ConnectAndEnterRoom))\s*\(/si"; classtype:attempted-user; 12689 WEB-ACTIVEX GlobalLink ConnectAndEnterRoom ActiveX clsid access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1269 RPC portmap rexd request TCP 26244 attempted-user 2007-5722 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|E|00|9|00|3|00|C|00|5|00|D|00|F|00|-|00|A|00|9|00|9|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|E|00|B|00|D|00|-|00|5|00|2|00|5|00|4|00|A|00|B|00|D|00|D|00|2|00|B|00|6|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12690 WEB-ACTIVEX GlobalLink ConnectAndEnterRoom ActiveX clsid unicode access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1270 RPC portmap rstatd request TCP rpc-portmap-decode 1999-0626 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1271 RPC portmap rusers request TCP 26430 attempted-user 2007-6005 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E06E2E99-0AA1-11D4-ABA6-0060082AA75C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E06E2E99-0AA1-11D4-ABA6-0060082AA75C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InitParam|SetParam)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E06E2E99-0AA1-11D4-ABA6-0060082AA75C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(InitParam|SetParam))\s*\(/si"; classtype:attempted-user; 12714 WEB-ACTIVEX WebEx GPCContainer ActiveX clsid access 26430 attempted-user 2007-6005 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|0|00|6|00|E|00|2|00|E|00|9|00|9|00|-|00|0|00|A|00|A|00|1|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|B|00|A|00|6|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|2|00|A|00|A|00|7|00|5|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12715 WEB-ACTIVEX WebEx GPCContainer ActiveX clsid unicode access 26430 attempted-user 2007-6005 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"GpcContainer.GpcContainer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22GpcContainer\.GpcContainer\x22|\x27GpcContainer\.GpcContainer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(InitParam|SetParam)\s*|.*(?P=v)\s*\.\s*(InitParam|SetParam)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22GpcContainer\.GpcContainer\x22|\x27GpcContainer\.GpcContainer\x27)\s*\)(\s*\.\s*(InitParam|SetParam)\s*|.*(?P=n)\s*\.\s*(InitParam|SetParam)\s*)\s*\(/smi"; classtype:attempted-user; 12716 WEB-ACTIVEX WebEx GPCContainer ActiveX function call access 26430 attempted-user 2007-6005 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"G|00|p|00|c|00|C|00|o|00|n|00|t|00|a|00|i|00|n|00|e|00|r|00|.|00|G|00|p|00|c|00|C|00|o|00|n|00|t|00|a|00|i|00|n|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00.\x00G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00.\x00G\x00p\x00c\x00C\x00o\x00n\x00t\x00a\x00i\x00n\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12717 WEB-ACTIVEX WebEx GPCContainer ActiveX function call unicode access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1272 RPC portmap sadmind request TCP 26396 attempted-user 2007-5755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B49C4597-8721-4789-9250-315DFBD9F525"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B49C4597-8721-4789-9250-315DFBD9F525\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SetMetadata)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*B49C4597-8721-4789-9250-315DFBD9F525\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(SetMetadata))\s*\(/Osi"; classtype:attempted-user; 12729 WEB-ACTIVEX AOL Radio AmpX ActiveX clsid access 205 rpc-portmap-decode 1999-0209 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1273 RPC portmap selection_svc request TCP 26396 attempted-user 2007-5755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|4|00|9|00|C|00|4|00|5|00|9|00|7|00|-|00|8|00|7|00|2|00|1|00|-|00|4|00|7|00|8|00|9|00|-|00|9|00|2|00|5|00|0|00|-|00|3|00|1|00|5|00|D|00|F|00|B|00|D|00|9|00|F|00|5|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12730 WEB-ACTIVEX AOL Radio AmpX ActiveX clsid unicode access 35028 attempted-user 2007-5755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"WinAmpX.IWinAmpActiveX"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22WinAmpX\.IWinAmpActiveX\x22|\x27WinAmpX\.IWinAmpActiveX\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(SetMetadata|ConvertFile)\s*|.*(?P=v)\s*\.\s*(SetMetadata|ConvertFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22WinAmpX\.IWinAmpActiveX\x22|\x27WinAmpX\.IWinAmpActiveX\x27)\s*\)(\s*\.\s*(SetMetadata|ConvertFile)\s*|.*(?P=n)\s*\.\s*(SetMetadata|ConvertFile)\s*)\s*\(/Osi"; classtype:attempted-user; 12731 WEB-ACTIVEX AOL Radio AmpX ActiveX function call access 26396 attempted-user 2007-5755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"W|00|i|00|n|00|A|00|m|00|p|00|X|00|.|00|I|00|W|00|i|00|n|00|A|00|m|00|p|00|A|00|c|00|t|00|i|00|v|00|e|00|X|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)W\x00i\x00n\x00A\x00m\x00p\x00X\x00.\x00I\x00W\x00i\x00n\x00A\x00m\x00p\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)W\x00i\x00n\x00A\x00m\x00p\x00X\x00.\x00I\x00W\x00i\x00n\x00A\x00m\x00p\x00A\x00c\x00t\x00i\x00v\x00e\x00X\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12732 WEB-ACTIVEX AOL Radio AmpX ActiveX function call unicode access 26467 attempted-user 2007-6028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C0A63B86-4B21-11d3-BD95-D426EF2C7949"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C0A63B86-4B21-11d3-BD95-D426EF2C7949\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Text|EditSelText|EditText|CellFontName)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*C0A63B86-4B21-11d3-BD95-D426EF2C7949\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Text|EditSelText|EditText|CellFontName))\s*=/si"; classtype:attempted-user; 12733 WEB-ACTIVEX ComponentOne FlexGrid ActiveX clsid access 26467 attempted-user 2007-6028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|0|00|A|00|6|00|3|00|B|00|8|00|6|00|-|00|4|00|B|00|2|00|1|00|-|00|1|00|1|00|d|00|3|00|-|00|B|00|D|00|9|00|5|00|-|00|D|00|4|00|2|00|6|00|E|00|F|00|2|00|C|00|7|00|9|00|4|00|9|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12734 WEB-ACTIVEX ComponentOne FlexGrid ActiveX clsid unicode access 26467 attempted-user 2007-6028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VSFlexGrid.VSFlexGridL"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22VSFlexGrid\.VSFlexGridL\x22|\x27VSFlexGrid\.VSFlexGridL\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Text|EditSelText|EditText|CellFontName)\s*|.*(?P=v)\s*\.\s*(Text|EditSelText|EditText|CellFontName)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22VSFlexGrid\.VSFlexGridL\x22|\x27VSFlexGrid\.VSFlexGridL\x27)\s*\)(\s*\.\s*(Text|EditSelText|EditText|CellFontName)\s*|.*(?P=n)\s*\.\s*(Text|EditSelText|EditText|CellFontName))\s*=/smi"; classtype:attempted-user; 12735 WEB-ACTIVEX ComponentOne FlexGrid ActiveX function call access 26467 attempted-user 2007-6028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|.|00|V|00|S|00|F|00|l|00|e|00|x|00|G|00|r|00|i|00|d|00|L|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00.\x00V\x00S\x00F\x00l\x00e\x00x\x00G\x00r\x00i\x00d\x00L\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12736 WEB-ACTIVEX ComponentOne FlexGrid ActiveX function call unicode access 26536 attempted-user 2007-6144 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F3E70CEA-956E-49CC-B444-73AFE593AD7F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3E70CEA-956E-49CC-B444-73AFE593AD7F\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(FlvPlayerUrl)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F3E70CEA-956E-49CC-B444-73AFE593AD7F\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(FlvPlayerUrl))\s*\(/si"; classtype:attempted-user; 12737 WEB-ACTIVEX Xunlei Thunder PPLAYER.DLL ActiveX clsid access 26536 attempted-user 2007-6144 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|3|00|E|00|7|00|0|00|C|00|E|00|A|00|-|00|9|00|5|00|6|00|E|00|-|00|4|00|9|00|C|00|C|00|-|00|B|00|4|00|4|00|4|00|-|00|7|00|3|00|A|00|F|00|E|00|5|00|9|00|3|00|A|00|D|00|7|00|F|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12738 WEB-ACTIVEX Xunlei Thunder PPLAYER.DLL ActiveX clsid unicode access 26536 attempted-user 2007-6144 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PPlayer.XPPlayer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PPlayer\.XPPlayer\x22|\x27PPlayer\.XPPlayer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*FlvPlayerUrl\s*|.*(?P=v)\s*\.\s*FlvPlayerUrl\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PPlayer\.XPPlayer\x22|\x27PPlayer\.XPPlayer\x27)\s*\)(\s*\.\s*FlvPlayerUrl\s*|.*(?P=n)\s*\.\s*FlvPlayerUrl\s*)\s*\(/smi"; classtype:attempted-user; 12739 WEB-ACTIVEX Xunlei Thunder PPLAYER.DLL ActiveX function call access 3382 rpc-portmap-decode 2001-0717 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1274 RPC portmap ttdbserv request TCP www.cert.org/advisories/CA-2001-05.html 26536 attempted-user 2007-6144 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|P|00|l|00|a|00|y|00|e|00|r|00|.|00|X|00|P|00|P|00|l|00|a|00|y|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)P\x00P\x00l\x00a\x00y\x00e\x00r\x00.\x00X\x00P\x00P\x00l\x00a\x00y\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)P\x00P\x00l\x00a\x00y\x00e\x00r\x00.\x00X\x00P\x00P\x00l\x00a\x00y\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12740 WEB-ACTIVEX Xunlei Thunder PPLAYER.DLL ActiveX function call unicode access 26210 attempted-user 2007-5775 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5D86DDB5-BDF9-441B-9E9E-D4730F4EE499"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5D86DDB5-BDF9-441B-9E9E-D4730F4EE499\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InitX)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5D86DDB5-BDF9-441B-9E9E-D4730F4EE499\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(InitX))\s*\(/siO"; metadata:service http; classtype:attempted-user; 12747 WEB-ACTIVEX BitDefender Online Scanner ActiveX clsid access 26210 attempted-user 2007-5775 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|D|00|8|00|6|00|D|00|D|00|B|00|5|00|-|00|B|00|D|00|F|00|9|00|-|00|4|00|4|00|1|00|B|00|-|00|9|00|E|00|9|00|E|00|-|00|D|00|4|00|7|00|3|00|0|00|F|00|4|00|E|00|E|00|4|00|9|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*5\x00D\x008\x006\x00D\x00D\x00B\x005\x00-\x00B\x00D\x00F\x009\x00-\x004\x004\x001\x00B\x00-\x009\x00E\x009\x00E\x00-\x00D\x004\x007\x003\x000\x00F\x004\x00E\x00E\x004\x009\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:service http; classtype:attempted-user; 12748 WEB-ACTIVEX BitDefender Online Scanner ActiveX clsid unicode access 26210 attempted-user 2007-5775 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BDSCANONLINE.BDSCANONLINECtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x22|\x27BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InitX\s*|.*(?P=v)\s*\.\s*InitX\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x22|\x27BDSCANONLINE\.BDSCANONLINECtrl(\.\d)?\x27)\s*\)(\s*\.\s*InitX\s*|.*(?P=n)\s*\.\s*InitX\s*)\s*\(/smiO"; metadata:service http; classtype:attempted-user; 12749 WEB-ACTIVEX BitDefender Online Scanner ActiveX function call access rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1275 RPC portmap yppasswd request TCP 26210 attempted-user 2007-5775 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|D|00|S|00|C|00|A|00|N|00|O|00|N|00|L|00|I|00|N|00|E|00|.|00|B|00|D|00|S|00|C|00|A|00|N|00|O|00|N|00|L|00|I|00|N|00|E|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00.\x00B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00.\x00B\x00D\x00S\x00C\x00A\x00N\x00O\x00N\x00L\x00I\x00N\x00E\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:service http; classtype:attempted-user; 12750 WEB-ACTIVEX BitDefender Online Scanner ActiveX function call unicode access 6016 rpc-portmap-decode 2002-1232 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1276 RPC portmap ypserv request TCP 28383 rpc-portmap-decode 1999-0208 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1277 RPC portmap ypupdated request UDP 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GotoFolder|CanGotoFolder)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GotoFolder|CanGotoFolder))\s*\(/si"; metadata:service http; classtype:attempted-user; 12780 WEB-ACTIVEX Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|E|00|5|00|E|00|1|00|6|00|7|00|B|00|-|00|1|00|5|00|6|00|6|00|-|00|4|00|3|00|1|00|6|00|-|00|B|00|2|00|7|00|F|00|-|00|0|00|D|00|D|00|A|00|B|00|3|00|4|00|8|00|4|00|C|00|F|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x005\x00E\x001\x006\x007\x00B\x00-\x001\x005\x006\x006\x00-\x004\x003\x001\x006\x00-\x00B\x002\x007\x00F\x00-\x000\x00D\x00D\x00A\x00B\x003\x004\x008\x004\x00C\x00F\x007\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 12781 WEB-ACTIVEX Aurigma Image Uploader 4 Vulnerable Methods ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=v)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=n)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)\s*\(/smi"; metadata:service http; classtype:attempted-user; 12782 WEB-ACTIVEX Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:service http; classtype:attempted-user; 12783 WEB-ACTIVEX Aurigma Image Uploader 4 Vulnerable Methods ActiveX function call unicode access www.microsoft.com/technet/security/advisory/953839.mspx rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1280 RPC portmap listing UDP 111 rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 32771 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1281 RPC portmap listing UDP 32771 9633 attempted-admin 2003-0818 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Authorization|3A| Negotiate "; nocase; http_header; pcre:"/^Authorization\x3a\s*Negotiate\s*((YE4G.{40}LgMc)|(YIIQ.{40}QUFB))/smiH"; metadata:service http; classtype:attempted-admin; 12905 SPECIFIC-THREATS Microsoft SPNEGO ASN.1 library heap corruption overflow attempt www.microsoft.com/technet/security/bulletin/MS04-007.mspx 26015 attempted-admin 2007-5327 tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:269; dce_stub_data; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,190,0,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 12940 NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt bad-unknown tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; classtype:bad-unknown; 1295 NETBIOS nimda RICHED20.DLL www.f-secure.com/v-descs/nimda.shtml attempted-admin 2007-3039 tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] flow:established,to_server; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:6; dce_stub_data; byte_test:4,=,1,0,relative,dce; byte_test:4,>,142,4,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 12977 NETBIOS DCERPC NCACN-IP-TCP mqqm QMCreateObjectInternal overflow attempt www.microsoft.com/technet/security/bulletin/ms07-065.mspx attempted-admin 2007-3039 udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:6; dce_stub_data; byte_test:4,=,1,0,relative,dce; byte_test:4,>,142,4,relative,dce; content:"|04 00|"; metadata:service dcerpc; classtype:attempted-admin; 12978 NETBIOS DCERPC NCADG-IP-UDP mqqm QMCreateObjectInternal overflow attempt www.microsoft.com/technet/security/bulletin/ms07-065.mspx 24196 protocol-command-decode 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:40; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,=,4294967295,40,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 12984 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt 24196 protocol-command-decode 2007-2446 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:40; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,=,4294967295,40,relative,dce; content:"|04 00|"; metadata:service netbios-dgm; classtype:protocol-command-decode; 12985 NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt attempted-admin 2007-3039 tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] flow:established,to_server; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:12; dce_stub_data; byte_test:4,>,142,0,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 13210 NETBIOS DCERPC NCACN-IP-TCP mqqm QMObjectPathToObjectFormat overflow attempt www.microsoft.com/technet/security/bulletin/ms07-065.mspx attempted-admin 2007-3039 udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:12; dce_stub_data; byte_test:4,>,142,0,relative,dce; content:"|04 00|"; metadata:service dcerpc; classtype:attempted-admin; 13211 NETBIOS DCERPC NCADG-IP-UDP mqqm QMObjectPathToObjectFormat overflow attempt www.microsoft.com/technet/security/bulletin/ms07-065.mspx 26967 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0C378864-D5C4-4D9C-854C-432E3BEC9CCB"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C378864-D5C4-4D9C-854C-432E3BEC9CCB\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ReadValue)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0C378864-D5C4-4D9C-854C-432E3BEC9CCB\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(ReadValue))\s*\(/si"; metadata:service http; classtype:attempted-user; 13228 WEB-ACTIVEX HP eSupportDiagnostics 1 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 26967 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|C|00|3|00|7|00|8|00|8|00|6|00|4|00|-|00|D|00|5|00|C|00|4|00|-|00|4|00|D|00|9|00|C|00|-|00|8|00|5|00|4|00|C|00|-|00|4|00|3|00|2|00|E|00|3|00|B|00|E|00|C|00|9|00|C|00|C|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00C\x003\x007\x008\x008\x006\x004\x00-\x00D\x005\x00C\x004\x00-\x004\x00D\x009\x00C\x00-\x008\x005\x004\x00C\x00-\x004\x003\x002\x00E\x003\x00B\x00E\x00C\x009\x00C\x00C\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 13229 WEB-ACTIVEX HP eSupportDiagnostics 1 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 26967 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CDAF9CEC-F3EC-4B22-ABA3-9726713560F8"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CDAF9CEC-F3EC-4B22-ABA3-9726713560F8\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(ReadTextFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CDAF9CEC-F3EC-4B22-ABA3-9726713560F8\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(ReadTextFile))\s*\(/si"; metadata:service http; classtype:attempted-user; 13230 WEB-ACTIVEX HP eSupportDiagnostics 2 ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 26967 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|D|00|A|00|F|00|9|00|C|00|E|00|C|00|-|00|F|00|3|00|E|00|C|00|-|00|4|00|B|00|2|00|2|00|-|00|A|00|B|00|A|00|3|00|-|00|9|00|7|00|2|00|6|00|7|00|1|00|3|00|5|00|6|00|0|00|F|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q26>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00D\x00A\x00F\x009\x00C\x00E\x00C\x00-\x00F\x003\x00E\x00C\x00-\x004\x00B\x002\x002\x00-\x00A\x00B\x00A\x003\x00-\x009\x007\x002\x006\x007\x001\x003\x005\x006\x000\x00F\x008\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 13231 WEB-ACTIVEX HP eSupportDiagnostics 2 ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 36550 attempted-user 2009-3693 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E87F6C8E-16C0-11D3-BEF7-009027438003\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E87F6C8E-16C0-11D3-BEF7-009027438003\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddFolder|AddFile|MakeHttpRequest))\s*\(/siO"; metadata:service http; classtype:attempted-user; 13232 WEB-ACTIVEX Persits Software XUpload ActiveX clsid access 36550 attempted-user 2009-3693 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|8|00|7|00|F|00|6|00|C|00|8|00|E|00|-|00|1|00|6|00|C|00|0|00|-|00|1|00|1|00|D|00|3|00|-|00|B|00|E|00|F|00|7|00|-|00|0|00|0|00|9|00|0|00|2|00|7|00|4|00|3|00|8|00|0|00|0|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x008\x007\x00F\x006\x00C\x008\x00E\x00-\x001\x006\x00C\x000\x00-\x001\x001\x00D\x003\x00-\x00B\x00E\x00F\x007\x00-\x000\x000\x009\x000\x002\x007\x004\x003\x008\x000\x000\x003\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:service http; classtype:attempted-user; 13233 WEB-ACTIVEX Persits Software XUpload ActiveX clsid unicode access 36550 attempted-user 2009-3693 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Persits.XUpload"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Persits\.XUpload(\.\d)?\x22|\x27Persits\.XUpload(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*|.*(?P=v)\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Persits\.XUpload(\.\d)?\x22|\x27Persits\.XUpload(\.\d)?\x27)\s*\)(\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*|.*(?P=n)\s*\.\s*(AddFolder|AddFile|MakeHttpRequest)\s*)\s*\(/siO"; metadata:service http; classtype:attempted-user; 13234 WEB-ACTIVEX Persits Software XUpload ActiveX function call access 36550 attempted-user 2009-3693 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|e|00|r|00|s|00|i|00|t|00|s|00|.|00|X|00|U|00|p|00|l|00|o|00|a|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)P\x00e\x00r\x00s\x00i\x00t\x00s\x00.\x00X\x00U\x00p\x00l\x00o\x00a\x00d\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)P\x00e\x00r\x00s\x00i\x00t\x00s\x00.\x00X\x00U\x00p\x00l\x00o\x00a\x00d\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/siO"; metadata:service http; classtype:attempted-user; 13235 WEB-ACTIVEX Persits Software XUpload ActiveX function call unicode access 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ExtractIptc|ExtractExif)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E5E167B-1566-4316-B27F-0DDAB3484CF7\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/si"; metadata:service http; classtype:attempted-user; 13434 WEB-ACTIVEX Aurigma Image Uploader 4 Property Overflows ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|E|00|5|00|E|00|1|00|6|00|7|00|B|00|-|00|1|00|5|00|6|00|6|00|-|00|4|00|3|00|1|00|6|00|-|00|B|00|2|00|7|00|F|00|-|00|0|00|D|00|D|00|A|00|B|00|3|00|4|00|8|00|4|00|C|00|F|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x005\x00E\x001\x006\x007\x00B\x00-\x001\x005\x006\x006\x00-\x004\x003\x001\x006\x00-\x00B\x002\x007\x00F\x00-\x000\x00D\x00D\x00A\x00B\x003\x004\x008\x004\x00C\x00F\x007\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 13435 WEB-ACTIVEX Aurigma Image Uploader 4 Property Overflows ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=v)\s*\.\s*(ExtractIptc|ExtractExif)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=n)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/smi"; metadata:service http; classtype:attempted-user; 13436 WEB-ACTIVEX Aurigma Image Uploader 4 Property Overflows ActiveX function call access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q10>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/smi"; metadata:service http; classtype:attempted-user; 13437 WEB-ACTIVEX Aurigma Image Uploader 4 Property Overflows ActiveX function call unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BA162249-F2C5-4851-8ADC-FC58CB424243"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q11>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q11)(\s|>).*(?P=id1)\s*\.\s*(GotoFolder|CanGotoFolder)|<object\s*[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q12)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(GotoFolder|CanGotoFolder))\s*\(/si"; metadata:service http; classtype:attempted-user; 13438 WEB-ACTIVEX Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|A|00|1|00|6|00|2|00|2|00|4|00|9|00|-|00|F|00|2|00|C|00|5|00|-|00|4|00|8|00|5|00|1|00|-|00|8|00|A|00|D|00|C|00|-|00|F|00|C|00|5|00|8|00|C|00|B|00|4|00|2|00|4|00|2|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q13>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00A\x001\x006\x002\x002\x004\x009\x00-\x00F\x002\x00C\x005\x00-\x004\x008\x005\x001\x00-\x008\x00A\x00D\x00C\x00-\x00F\x00C\x005\x008\x00C\x00B\x004\x002\x004\x002\x004\x003\x00(}\x00)?(?P=q13)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 13439 WEB-ACTIVEX Aurigma Image Uploader 5 Vulnerable Methods ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=v)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(GotoFolder|CanGotoFolder)\s*|.*(?P=n)\s*\.\s*(GotoFolder|CanGotoFolder)\s*)\s*\(/smi"; metadata:service http; classtype:attempted-user; 13440 WEB-ACTIVEX Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q14>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q14)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q15>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q15)(\s|>)(\s\x00)*\)\x00/smi"; metadata:service http; classtype:attempted-user; 13441 WEB-ACTIVEX Aurigma Image Uploader 5 Vulnerable Methods ActiveX function call unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BA162249-F2C5-4851-8ADC-FC58CB424243"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(ExtractIptc|ExtractExif)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*BA162249-F2C5-4851-8ADC-FC58CB424243\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/si"; metadata:service http; classtype:attempted-user; 13442 WEB-ACTIVEX Aurigma Image Uploader 5 Property Overflows ActiveX clsid access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|A|00|1|00|6|00|2|00|2|00|4|00|9|00|-|00|F|00|2|00|C|00|5|00|-|00|4|00|8|00|5|00|1|00|-|00|8|00|A|00|D|00|C|00|-|00|F|00|C|00|5|00|8|00|C|00|B|00|4|00|2|00|4|00|2|00|4|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q18>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*B\x00A\x001\x006\x002\x002\x004\x009\x00-\x00F\x002\x00C\x005\x00-\x004\x008\x005\x001\x00-\x008\x00A\x00D\x00C\x00-\x00F\x00C\x005\x008\x00C\x00B\x004\x002\x004\x002\x004\x003\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 13443 WEB-ACTIVEX Aurigma Image Uploader 5 Property Overflows ActiveX clsid unicode access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Aurigma.ImageUploader"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=v)\s*\.\s*(ExtractIptc|ExtractExif)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Aurigma\.ImageUploader\x22|\x27Aurigma\.ImageUploader\x27)\s*\)(\s*\.\s*(ExtractIptc|ExtractExif)\s*|.*(?P=n)\s*\.\s*(ExtractIptc|ExtractExif))\s*=/smi"; metadata:service http; classtype:attempted-user; 13444 WEB-ACTIVEX Aurigma Image Uploader 5 Property Overflows ActiveX function call access www.microsoft.com/technet/security/advisory/953839.mspx 27577 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|u|00|r|00|i|00|g|00|m|00|a|00|.|00|I|00|m|00|a|00|g|00|e|00|U|00|p|00|l|00|o|00|a|00|d|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q19>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q20>\x22|\x27|)A\x00u\x00r\x00i\x00g\x00m\x00a\x00.\x00I\x00m\x00a\x00g\x00e\x00U\x00p\x00l\x00o\x00a\x00d\x00e\x00r\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/smi"; metadata:service http; classtype:attempted-user; 13445 WEB-ACTIVEX Aurigma Image Uploader 5 Property Overflows ActiveX function call unicode access www.microsoft.com/technet/security/advisory/953839.mspx 25977 attempted-user 2007-5322 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13451; 13451 WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms08-010.mspx 25977 attempted-user 2007-5322 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13452; 13452 WEB-ACTIVEX Microsoft Visual FoxPro foxtlib ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms08-010.mspx attempted-user 2008-0078 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13454; 13454 WEB-CLIENT Microsoft DXLUTBuilder ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-010.mspx attempted-user 2008-0078 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13456; 13456 WEB-CLIENT Microsoft DXLUTBuilder ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-010.mspx attempted-user 2007-0065 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13458; 13458 WEB-ACTIVEX Microsoft Forms 2.0 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-008.mspx attempted-user 2007-0065 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13460; 13460 WEB-ACTIVEX Microsoft Forms 2.0 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-008.mspx attempted-user 2008-0108 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CHNKWKS"; content:"|18 00|TEXT"; distance:0; isdataat:4,relative; content:!"|01 00|"; within:2; distance:2; classtype:attempted-user; 13472 EXPLOIT Microsoft Works invalid chunk size www.microsoft.com/technet/security/bulletin/MS08-011.mspx attempted-dos 2008-0088 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13475; 13475 DOS Microsoft Active Directory LDAP denial of service attempt www.microsoft.com/technet/security/bulletin/ms08-003.mspx 21401 protocol-command-decode 2006-6296 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|1A 00|"; within:2; distance:19; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,little,multiplier 2,relative,align; byte_test:4,>,65536,0,little,relative; content:"b|00|l|00|a|00|h|00|_|00|b|00|l|00|a|00|h|00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 13594 SPECIFIC-THREATS Microsoft Windows print spooler little endian DoS attempt attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13669; 13669 WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13671; 13671 WEB-ACTIVEX Microsoft Help 2.0 Contents Control ActiveX function call unicode access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13673; 13673 WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2008-1086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13675; 13675 WEB-ACTIVEX Microsoft Help 2.0 Contents Control 2 ActiveX function call unicode access www.microsoft.com/technet/security/Bulletin/MS08-023.mspx attempted-user 2007-0675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13828, service http; 13828 WEB-ACTIVEX sapi.dll ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-032.mspx attempted-user 2007-0675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13829; 13829 WEB-ACTIVEX sapi.dll ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-032.mspx attempted-user 2007-0675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13830, service http; 13830 WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-032.mspx attempted-user 2007-0675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13831; 13831 WEB-ACTIVEX sapi.dll alternate killbit ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-032.mspx attempted-user 2007-0675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13832, service http; 13832 WEB-ACTIVEX backweb ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-032.mspx attempted-user 2007-0675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13833; 13833 WEB-ACTIVEX backweb ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-032.mspx attempted-dos 2008-1445 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13835; 13835 DOS Microsoft Active Directory LDAP cookie denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-035.mspx attempted-user 2008-0082 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13966; 13966 WEB-ACTIVEX Microsoft Message System ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-050.mspx attempted-user 2008-0082 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13968; 13968 WEB-ACTIVEX Microsoft Message System ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-050.mspx attempted-user 2008-1457 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13976; 13976 WEB-CLIENT Microsoft Windows Event System ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-049.mspx attempted-user 2008-1457 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13978; 13978 WEB-CLIENT Microsoft Windows Event System ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-049.mspx attempted-user 2008-1602 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3F1D494B-0CEF-4468-96C9-386E2E4DEC90\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Download)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3F1D494B-0CEF-4468-96C9-386E2E4DEC90\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Download))\s*\(/si"; metadata:service http; classtype:attempted-user; 14033 WEB-ACTIVEX Orbit Downloader ActiveX clsid access attempted-user 2008-1602 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|F|00|1|00|D|00|4|00|9|00|4|00|B|00|-|00|0|00|C|00|E|00|F|00|-|00|4|00|4|00|6|00|8|00|-|00|9|00|6|00|C|00|9|00|-|00|3|00|8|00|6|00|E|00|2|00|E|00|4|00|D|00|E|00|C|00|9|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00F\x001\x00D\x004\x009\x004\x00B\x00-\x000\x00C\x00E\x00F\x00-\x004\x004\x006\x008\x00-\x009\x006\x00C\x009\x00-\x003\x008\x006\x00E\x002\x00E\x004\x00D\x00E\x00C\x009\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 14034 WEB-ACTIVEX Orbit Downloader ActiveX clsid unicode access attempted-user 2008-1602 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Orbitmxt.Orbit"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Orbitmxt\.Orbit\x22|\x27Orbitmxt\.Orbit\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Download\s*|.*(?P=v)\s*\.\s*Download\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Orbitmxt\.Orbit\x22|\x27Orbitmxt\.Orbit\x27)\s*\)(\s*\.\s*Download\s*|.*(?P=n)\s*\.\s*Download\s*)\s*\(/smi"; metadata:service http; classtype:attempted-user; 14035 WEB-ACTIVEX Orbit Downloader ActiveX function call access attempted-user 2008-1602 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|r|00|b|00|i|00|t|00|m|00|x|00|t|00|.|00|O|00|r|00|b|00|i|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)O\x00r\x00b\x00i\x00t\x00m\x00x\x00t\x00.\x00O\x00r\x00b\x00i\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)O\x00r\x00b\x00i\x00t\x00m\x00x\x00t\x00.\x00O\x00r\x00b\x00i\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:service http; classtype:attempted-user; 14036 WEB-ACTIVEX Orbit Downloader ActiveX function call unicode access 29736 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c\s*}?\s*(?P=q1)[^>]*>.*<param\s*[^>]*\s*name\s*=\s*target-frame[^>]*\s*value\s*=\s*(\x22[^>\s\x22]{128}|\x27[^>\s\x27]{128}|[^>\s]{128})/Osmi"; metadata:service http; classtype:attempted-user; 14038 WEB-ACTIVEX Novell iPrint ActiveX target-frame parameter overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"WinSecureDisc"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*WinSecureDisc/smiH"; classtype:misc-activity; 14066 SPYWARE-PUT Adware winsecuredisc runtime detection www.spywareremove.com/removeWinSecureDisc.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mxlivemedia/multi/73.exe"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Installer"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Installer/smiH"; classtype:misc-activity; 14078 SPYWARE-PUT Adware winspywareprotect runtime detection - download malicous code www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/123kah.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"a1.mxlivemedia.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*a1\x2Emxlivemedia\x2Ecom/smiH"; classtype:misc-activity; 14079 SPYWARE-PUT Adware winspywareprotect runtime detection - connection to malicious sites www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/confuci.php?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xiphoman.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xiphoman\x2Ecom/smiH"; classtype:misc-activity; 14080 SPYWARE-PUT Adware winspywareprotect runtime detection - connection to malicious server www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1 30826 attempted-user 2007-1682 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|7|00|B|00|6|00|2|00|F|00|4|00|E|00|-|00|8|00|2|00|F|00|4|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|D|00|4|00|1|00|-|00|0|00|0|00|1|00|0|00|5|00|A|00|0|00|A|00|7|00|E|00|8|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x007\x00B\x006\x002\x00F\x004\x00E\x00-\x008\x002\x00F\x004\x00-\x001\x001\x00D\x002\x00-\x00B\x00D\x004\x001\x00-\x000\x000\x001\x000\x005\x00A\x000\x00A\x007\x00E\x008\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:service http; classtype:attempted-user; 14232 WEB-ACTIVEX SoftArtisans XFile FileManager ActiveX clsid unicode access support.softartisans.com/Support-114.aspx 3099 protocol-command-decode 2001-0540 tcp $EXTERNAL_NET any -> $HOME_NET 3389 flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; classtype:protocol-command-decode; 1447 MISC MS Terminal server request RDP 10940 www.microsoft.com/technet/security/bulletin/MS01-040.mspx attempted-user 2008-4255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15085; 15085 WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15087; 15087 WEB-ACTIVEX Microsoft Common Controls Animation Object ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15109, service http; 15109 WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-073.mspx attempted-user 2008-4258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15110; 15110 WEB-ACTIVEX Shell.Explorer 1 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-073.mspx 11466 attempted-user 2008-4258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15111; 15111 WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-073.mspx 11466 attempted-user 2008-4258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15112, service http; 15112 WEB-ACTIVEX Shell.Explorer 2 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-073.mspx 11466 attempted-user 2008-4258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15113; 15113 WEB-ACTIVEX Shell.Explorer 2 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-073.mspx 11466 attempted-user 2008-4258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15122, service http; 15122 WEB-ACTIVEX Shell.Explorer 2 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-073.mspx protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; content:"|04 00|"; metadata:service netbios-dgm; classtype:protocol-command-decode; 15448 NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrShareEnum null policy handle attempt 24196 protocol-command-decode 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; byte_test:4,>,255,36,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 15507 SPECIFIC-THREATS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids translated_names overflow attempt 24196 protocol-command-decode 2007-2446 udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; byte_test:4,>,255,36,relative,dce; content:"|04 00|"; metadata:service netbios-dgm; classtype:protocol-command-decode; 15508 SPECIFIC-THREATS DCERPC NCADG-IP-UDP lsarpc LsarLookupSids translated_names overflow attempt attempted-user 2009-1929 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15862; 15862 WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS09-044.mspx attempted-user 2009-1929 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15864; 15864 WEB-ACTIVEX Microsoft Remote Desktop Client ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS09-044.mspx protocol-command-decode 2008-0639 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,283,16,relative,dce; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00|"; within:46; distance:20; metadata:service netbios-ssn; classtype:protocol-command-decode; 15881 NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters Name Field attempt protocol-command-decode 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:65; dce_stub_data; pcre:"/^.{32}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,26,48,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 15911 NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt 22564 attempted-user 2006-6490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|P|00|R|00|T|00|.|00|S|00|m|00|a|00|r|00|t|00|I|00|s|00|s|00|u|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)S\x00P\x00R\x00T\x00.\x00S\x00m\x00a\x00r\x00t\x00I\x00s\x00s\x00u\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)S\x00P\x00R\x00T\x00.\x00S\x00m\x00a\x00r\x00t\x00I\x00s\x00s\x00u\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:service http; classtype:attempted-user; 16012 WEB-ACTIVEX Symantec SupportSoft SmartIssue ActiveX function call unicode access securityresponse.symantec.com/avcenter/security/Content/2007.02.22.html attempted-admin 2006-4688 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:9; dce_stub_data; content:"|5C 00 5C 00|"; pcre:"/^(B\x00B\x00B\x00|\x41\x41\x41\x41)/R"; metadata:service netbios-ssn; classtype:attempted-admin; 16016 SPECIFIC-THREATS Microsoft client for netware overflow attempt www.microsoft.com/technet/security/bulletin/MS06-066.mspx attempted-user 2007-2446 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"SMB"; nocase; content:"|9C E0 0A 00 09 00 00 00 0A 00 0B 00 0D 00 03 00 14 00 15 00 10 00 17 00 16 00 00 00|P|00 00 00|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop; classtype:attempted-user; 16034 SPECIFIC-THREATS Samba spools RPC smb_io_notify_option_type_data request handling buffer overflow attempt 26455 attempted-user 2007-5398 udp $EXTERNAL_NET any -> $HOME_NET 137 flow:to_server,established; content:" FGFEFEFGENCNFHEJEODCELFDFCFGCABM|00 00| |00 01|"; metadata:service netbios-ns; classtype:attempted-user; 16058 SPECIFIC-THREATS Samba WINS Server Name Registration handling stack buffer overflow attempt attempted-dos 2006-3942 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|11 00 5C|MAILSLOT|5C|LANMANA"; classtype:attempted-dos; 16066 EXPLOIT Microsoft Windows Server driver crafted SMB data denial of service www.microsoft.com/technet/security/Bulletin/MS06-063.mspx 29283 rpc-portmap-decode 2008-2242 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"SString"; byte_test:4,>,4096,1,relative; metadata:service sunrpc; classtype:rpc-portmap-decode; 16081 RPC portmap 395650 tcp XDR SString buffer overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 29283 rpc-portmap-decode 2008-2242 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 06 09 82|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"SString"; byte_test:4,>,4096,1,relative; metadata:service sunrpc; classtype:rpc-portmap-decode; 16082 RPC portmap 395650 udp XDR SString buffer overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 rpc-portmap-decode 2008-2242 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09 82|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 16083 RPC portmap 395650 tcp request support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 rpc-portmap-decode 2008-2242 udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09 82|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 16084 RPC portmap 395650 udp request support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 rpc-portmap-decode 2008-2242 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00|y"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,28,relative,align; byte_jump:4,32,relative,align; byte_test:4,>,1988,240,relative; metadata:service sunrpc; classtype:rpc-portmap-decode; 16085 RPC portmap 395650 tcp xml buffer overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 rpc-portmap-decode 2008-2242 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 06 09 82|"; depth:4; offset:12; content:"|00 00 00|y"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,28,relative,align; byte_jump:4,32,relative,align; byte_test:4,>,1988,240,relative; metadata:service sunrpc; classtype:rpc-portmap-decode; 16086 RPC portmap 395650 udp xml buffer overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 34414 attempted-dos 2009-0077 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16221, service http; 16221 EXPLOIT Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt www.microsoft.com/technet/security/Bulletin/MS09-016.mspx 31545 attempted-dos 2008-4609 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16294, service http; 16294 EXPLOIT Microsoft Windows TCP stack zero window size exploit attempt www.microsoft.com/technet/security/Bulletin/MS09-048.mspx attempted-user 2009-2987 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16386, service http; 16386 WEB-ACTIVEX AcroPDF.PDF ActiveX clsid access attempted-user 2009-2987 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16387; 16387 WEB-ACTIVEX AcroPDF.PDF ActiveX clsid unicode access attempted-user 2009-2987 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16388; 16388 WEB-ACTIVEX AcroPDF.PDF ActiveX function call access attempted-user 2009-2987 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16389; 16389 WEB-ACTIVEX AcroPDF.PDF ActiveX function call unicode access protocol-command-decode 2010-0022 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16397, service netbios-ssn; 16397 NETBIOS SMB andx invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16398, service netbios-ssn; 16398 NETBIOS SMB invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16399, service netbios-ssn; 16399 NETBIOS SMB unicode andx invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16400, service netbios-ssn; 16400 NETBIOS SMB unicode invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16401, service netbios-dgm; 16401 NETBIOS-DG SMB andx invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16402, service netbios-dgm; 16402 NETBIOS-DG SMB invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16403, service netbios-dgm; 16403 NETBIOS-DG SMB unicode andx invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx protocol-command-decode 2010-0022 udp $EXTERNAL_NET any -> $HOME_NET 138 gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|16404, service netbios-dgm; 16404 NETBIOS-DG SMB unicode invalid server name share access www.microsoft.com/technet/security/bulletin/MS10-012.mspx attempted-user 2010-0034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|16413; 16413 WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-004.mspx attempted-user 2010-0252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16420; 16420 WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS10-008.mspx 31751 rpc-portmap-decode 2008-4556 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 16446 RPC portmap Solaris sadmin tcp request 31751 rpc-portmap-decode 2008-4556 udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 16447 RPC portmap Solaris sadmin udp request 31751 rpc-portmap-decode 2008-4556 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 01 87 88|"; depth:4; offset:16; byte_jump:4,8,relative,align; byte_jump:4,4,relative,align; content:"ADM_METHOD"; content:"|00 00 00 09|"; within:8; byte_test:4,>,999,0,relative; metadata:service sunrpc; classtype:rpc-portmap-decode; 16448 RPC portmap Solaris sadmin tcp adm_build_path overflow attempt 31751 rpc-portmap-decode 2008-4556 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 01 87 88|"; depth:4; offset:12; byte_jump:4,8,relative,align; byte_jump:4,4,relative,align; content:"ADM_METHOD"; content:"|00 00 00 09|"; within:8; byte_test:4,>,999,0,relative; metadata:service sunrpc; classtype:rpc-portmap-decode; 16449 RPC portmap Solaris sadmin udp adm_build_path overflow attempt misc-attack 2010-0812 ip $EXTERNAL_NET any -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|16533; 16533 BAD-TRAFFIC Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt www.microsoft.com/technet/security/bulletin/MS10-029.mspx attempted-admin 2010-0477 tcp $EXTERNAL_NET 445 -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16540, service netbios-ssn; 16540 NETBIOS SMB2 client NetBufferList NULL entry remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-020.mspx 36550 attempted-user 2009-3693 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; fast_pattern:only; nocase; pcre:"/|2E|(AddFolder|AddFile|MakeHttpRequest)/i"; metadata:service http; classtype:attempted-user; 16581 SPECIFIC-THREATS Persits Software XUpload ActiveX clsid unsafe function access attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"strMode=setup&strID=pcvaccine&strPC="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16926 BLACKLIST URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= labs.snort.org/docs/16926.html 35558 attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"String.fromCharCode|28|parseInt"; content:"String.fromCharCode|28|"; distance:0; content:".charCodeAt|28|"; distance:0; content:".replace"; distance:0; content:"|3C 2F|script|3E 20 0A 3C 2F|body|3E 20 0A 3C 2F|html|3E|"; distance:0; classtype:attempted-user; 17111 SPECIFIC-THREATS Microsoft Video ActiveX Control stack buffer overflow attempt 8205 attempted-user 2003-0715 udp $EXTERNAL_NET any -> $HOME_NET 135 content:"|5C 00 43 00 24 00 5C 00 31 00 32 00 33 00 34 00|"; metadata:service netbios-ssn; classtype:attempted-user; 17112 SPECIFIC-THREATS DCERPC rpcss2 _RemoteGetClassObject attempt www.microsoft.com/technet/security/bulletin/MS03-039.mspx attempted-dos 2010-2561 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|17133; 17133 WEB-CLIENT MSXML2 ActiveX malformed HTTP response www.microsoft.com/technet/security/bulletin/ms10-051.mspx 38472 attempted-admin 2009-2754 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:7; byte_test:1,&,0x80,8,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 17205 RPC Multiple vendors librpc.dll stack buffer overflow attempt - udp 38472 attempted-admin 2009-2754 tcp $EXTERNAL_NET any -> $HOME_NET [111,36890] flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:7; byte_test:1,&,0x80,8,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 17206 RPC Multiple vendors librpc.dll stack buffer overflow attempt - tcp attempted-user 2007-2217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.tiff; content:"|02 01 03 00|"; byte_test:4,>,6,0,relative,little; metadata:service http; classtype:attempted-user; 17231 WEB-CLIENT Microsoft Kodak Imaging small offset malformed tiff - little-endian www.microsoft.com/technet/security/Bulletin/MS07-055.mspx attempted-user 2007-2217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.tiff; content:"|01 02 00 03|"; byte_test:4,>,6,0,relative,big; metadata:service http; classtype:attempted-user; 17232 WEB-CLIENT Microsoft Kodak Imaging large offset malformed tiff - big-endian www.microsoft.com/technet/security/Bulletin/MS07-055.mspx attempted-user 2010-2729 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17252; 17252 NETBIOS Microsoft Windows Print Spooler arbitrary file write attempt www.microsoft.com/technet/security/bulletin/MS10-061.mspx attempted-user 2010-2729 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17253; 17253 NETBIOS Microsoft Windows Print Spooler arbitrary file write attempt www.microsoft.com/technet/security/bulletin/MS10-061.mspx 205 rpc-portmap-decode 1999-0181 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1732 RPC portmap rwalld request UDP 205 rpc-portmap-decode 1999-0181 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1733 RPC portmap rwalld request TCP 15065 protocol-command-decode 2005-2120 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; content:"|5C 00 5C 00|"; distance:16; metadata:service netbios-ssn; classtype:protocol-command-decode; 17435 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt www.microsoft.com/technet/security/bulletin/ms05-047.mspx 15065 protocol-command-decode 2005-2120 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; content:"|5C 5C|"; distance:16; metadata:service netbios-ssn; classtype:protocol-command-decode; 17437 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt www.microsoft.com/technet/security/bulletin/ms05-047.mspx 15058 attempted-dos 2005-1979 tcp $EXTERNAL_NET any -> $HOME_NET 3372 flow:to_server,established; content:"PUSH|20|test|0A|"; depth:10; classtype:attempted-dos; 17439 EXPLOIT Microsoft Distributed Transaction Controller TIP DoS attempt 4674 rpc-portmap-decode 2002-0084 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1746 RPC portmap cachefsd request UDP 10951 4674 rpc-portmap-decode 2002-0084 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1747 RPC portmap cachefsd request TCP 10951 attempted-admin 2008-4398 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,64,12,little,relative; metadata:service netbios-ssn; classtype:attempted-admin; 17634 NETBIOS DCERPC NCACN-IP-TCPbrightstor-arc function 0 little endian object call overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 attempted-admin 2008-4398 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,64,12,little,relative; metadata:service netbios-ssn; classtype:attempted-admin; 17635 NETBIOS DCERPC NCACN-IP-TCPbrightstor-arc function 0 little endian overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 attempted-admin 2008-4398 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,64,12,relative; metadata:service netbios-ssn; classtype:attempted-admin; 17636 NETBIOS DCERPC NCACN-IP-TCPbrightstor-arc function 0 object call overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 attempted-admin 2008-4398 tcp $EXTERNAL_NET any -> $HOME_NET 6502 flow:to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,64,12,relative; metadata:service netbios-ssn; classtype:attempted-admin; 17637 NETBIOS DCERPC NCACN-IP-TCPbrightstor-arc function 0 overflow attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143 22005 attempted-admin 2007-0169 tcp $EXTERNAL_NET any -> $HOME_NET 6503 flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:43; dce_stub_data; byte_test:4,>,624,0,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 17640 NETBIOS DCERPC NCACN-IP-TCP brightstor opnum 43 overflow attempt www.kb.cert.org/vuls/id/180336 22639 protocol-command-decode 2007-1070 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|47 00 03 00|"; within:4; byte_test:4,>,98,0,little,relative; content:"|05 00 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 17707 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 22639 protocol-command-decode 2007-1070 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|08 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; content:"|05 00 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 17714 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 22639 protocol-command-decode 2007-1070 tcp $EXTERNAL_NET any -> $HOME_NET 5168 flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|09 00 0A 00|"; within:4; byte_test:4,>,600,0,little,relative; content:"|05 00 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 17715 NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 policy-violation 2010-2732 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:policy-violation; metadata: engine shared, soid 3|18072; 18072 WEB-MISC Microsoft Forefront UAG external redirect attempt www.microsoft.com/technet/security/bulletin/MS10-089.mspx 1480 misc-attack 2000-0666 udp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:misc-attack; 1890 RPC status GHBN format string attack 10544 1480 misc-attack 2000-0666 tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:misc-attack; 1891 RPC status GHBN format string attack 10544 614 misc-attack 1999-0704 udp $EXTERNAL_NET any -> $HOME_NET 500: flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:misc-attack; 1905 RPC AMD UDP amqproc_mount plog overflow attempt 614 misc-attack 1999-0704 tcp $EXTERNAL_NET any -> $HOME_NET 500: flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:misc-attack; 1906 RPC AMD TCP amqproc_mount plog overflow attempt 524 attempted-admin 1999-0696 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 1907 RPC CMSD UDP CMSD_CREATE buffer overflow attempt 524 attempted-admin 1999-0696 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 1908 RPC CMSD TCP CMSD_CREATE buffer overflow attempt 524 misc-attack 1999-0696 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:misc-attack; 1909 RPC CMSD TCP CMSD_INSERT buffer overflow attempt www.cert.org/advisories/CA-99-08-cmsd.html misc-attack 1999-0696 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:misc-attack; 1910 RPC CMSD udp CMSD_INSERT buffer overflow attempt www.cert.org/advisories/CA-99-08-cmsd.html 866 attempted-admin 1999-0977 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 1911 RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt 866 attempted-admin 1999-0977 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 1912 RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt 1480 attempted-admin 2000-0666 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 1913 RPC STATD UDP stat mon_name format string exploit attempt 10544 1480 attempted-admin 2000-0666 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 1914 RPC STATD TCP stat mon_name format string exploit attempt 10544 1480 attempted-admin 2000-0666 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 1915 RPC STATD UDP monitor mon_name format string exploit attempt 10544 1480 attempted-admin 2000-0666 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 1916 RPC STATD TCP monitor mon_name format string exploit attempt 10544 rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1922 RPC portmap proxy attempt TCP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1923 RPC portmap proxy attempt UDP attempted-recon udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 1924 RPC mountd UDP export request attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; 1925 RPC mountd TCP exportall request attempted-recon udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 1926 RPC mountd UDP exportall request rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1949 RPC portmap SET attempt TCP 111 rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1950 RPC portmap SET attempt UDP 111 attempted-recon 1999-0210 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; 1951 RPC mountd TCP mount request attempted-recon udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 1952 RPC mountd UDP mount request rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 500: flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1953 RPC AMD TCP pid request rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 500: flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1954 RPC AMD UDP pid request rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 500: flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1955 RPC AMD TCP version request 1554 rpc-portmap-decode 2000-0696 udp $EXTERNAL_NET any -> $HOME_NET 500: flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1956 RPC AMD UDP version request 866 protocol-command-decode 1999-0977 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:protocol-command-decode; 1957 RPC sadmind UDP PING 10229 866 protocol-command-decode 1999-0977 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:protocol-command-decode; 1958 RPC sadmind TCP PING 10229 rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1959 RPC portmap NFS request UDP rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1960 RPC portmap NFS request TCP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1961 RPC portmap RQUOTA request UDP rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 1962 RPC portmap RQUOTA request TCP 864 misc-attack 1999-0974 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:misc-attack; 1963 RPC RQUOTA getquota overflow attempt UDP 122 attempted-admin 1999-0003 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 1964 RPC tooltalk UDP overflow attempt 122 attempted-admin 2001-0717 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 1965 RPC tooltalk TCP overflow attempt 6665 rpc-portmap-decode 2003-0027 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2006 RPC portmap kcms_server request TCP www.kb.cert.org/vuls/id/850785 1892 rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2014 RPC portmap UNSET attempt TCP 111 1892 rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2015 RPC portmap UNSET attempt UDP 111 rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2016 RPC portmap status request TCP 2714 rpc-portmap-decode 2001-0331 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2017 RPC portmap espd request UDP attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; 2018 RPC mountd TCP dump request attempted-recon udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 2019 RPC mountd UDP dump request attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; 2020 RPC mountd TCP unmount request attempted-recon udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 2021 RPC mountd UDP unmount request attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; 2022 RPC mountd TCP unmountall request attempted-recon udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 2023 RPC mountd UDP unmountall request 864 misc-attack 1999-0974 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:misc-attack; 2024 RPC RQUOTA getquota overflow attempt TCP 2763 rpc-portmap-decode 2001-0779 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2025 RPC yppasswd username overflow attempt UDP 10684 2763 rpc-portmap-decode 2001-0779 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2026 RPC yppasswd username overflow attempt TCP 10684 2763 rpc-portmap-decode 2001-0779 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2031 RPC yppasswd user update UDP 2763 rpc-portmap-decode 2001-0779 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2032 RPC yppasswd user update TCP 6016 rpc-portmap-decode 2002-1232 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2033 RPC ypserv maplist request UDP 13976 6016 rpc-portmap-decode 2002-1232 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2034 RPC ypserv maplist request TCP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2035 RPC portmap network-status-monitor request UDP rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2036 RPC portmap network-status-monitor request TCP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2037 RPC network-status-monitor mon-callback request UDP rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2038 RPC network-status-monitor mon-callback request TCP 1372 rpc-portmap-decode 2000-0508 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2079 RPC portmap nlockmgr request UDP 10220 1372 rpc-portmap-decode 2000-0508 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2080 RPC portmap nlockmgr request TCP 10220 5075 rpc-portmap-decode 2002-0359 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2081 RPC portmap rpc.xfsmd request UDP 5075 rpc-portmap-decode 2002-0359 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2082 RPC portmap rpc.xfsmd request TCP 5075 rpc-portmap-decode 2002-0359 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2083 RPC rpc.xfsmd xfs_export attempt UDP 5075 rpc-portmap-decode 2002-0359 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2084 RPC rpc.xfsmd xfs_export attempt TCP 28383 misc-attack 1999-0208 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:misc-attack; 2088 RPC ypupdated arbitrary command attempt UDP 1749 misc-attack 1999-0208 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:misc-attack; 2089 RPC ypupdated arbitrary command attempt TCP 7123 rpc-portmap-decode 2003-0028 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2092 RPC portmap proxy integer overflow attempt UDP 11420 7123 rpc-portmap-decode 2003-0028 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2093 RPC portmap proxy integer overflow attempt TCP 11420 5356 attempted-admin 2002-0391 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 2094 RPC CMSD UDP CMSD_CREATE array buffer overflow attempt 11418 5356 attempted-admin 2002-0391 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-admin; 2095 RPC CMSD TCP CMSD_CREATE array buffer overflow attempt 11418 5556 protocol-command-decode 2002-0724 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 2101 NETBIOS SMB Trans Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5807 attempted-admin 2002-1214 tcp $EXTERNAL_NET any -> $HOME_NET 1723 flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; 2126 MISC Microsoft PPTP Start Control Request buffer overflow attempt 11178 www.microsoft.com/technet/security/bulletin/MS02-063.mspx attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:service netbios-ssn; classtype:attempted-recon; 2177 NETBIOS SMB startup folder unicode access 8179 misc-attack 2003-0252 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:misc-attack; 2184 RPC mountd TCP mount path overflow attempt 11800 8179 misc-attack 2003-0252 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:misc-attack; 2185 RPC mountd UDP mount path overflow attempt 11800 attempted-dos tcp $EXTERNAL_NET any -> $HOME_NET 135 flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; 2190 NETBIOS DCERPC invalid bind attempt attempted-dos tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; 2191 NETBIOS SMB DCERPC invalid bind attempt 9635 protocol-command-decode 2003-0818 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; classtype:protocol-command-decode; 2382 NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 9635 protocol-command-decode 2003-0818 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; classtype:protocol-command-decode; 2383 NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; classtype:protocol-command-decode; 2402 NETBIOS SMB-DS Session Setup andx username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; classtype:protocol-command-decode; 2404 NETBIOS SMB-DS Session Setup unicode andx username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2467 NETBIOS SMB D$ unicode share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 2468 NETBIOS SMB-DS D$ share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; 2470 NETBIOS SMB C$ unicode share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; 2471 NETBIOS SMB-DS C$ share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2473 NETBIOS SMB ADMIN$ unicode share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 2474 NETBIOS SMB-DS ADMIN$ share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2475 NETBIOS SMB-DS ADMIN$ unicode share access 10333 attempted-admin 2004-0444 udp $EXTERNAL_NET 137 -> $HOME_NET 137 byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; classtype:attempted-admin; 2563 NETBIOS NS lookup response name overflow attempt www.eeye.com/html/Research/Advisories/AD20040512A.html 10335 attempted-admin 2004-0444 udp $EXTERNAL_NET 137 -> $HOME_NET 137 dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; classtype:attempted-admin; 2564 NETBIOS NS lookup short response attempt www.eeye.com/html/Research/Advisories/AD20040512C.html 11372 attempted-admin 2004-0206 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:2f5f3220-c126-1076-b549-074d078619da; dce_opnum:12; dce_stub_data; isdataat:256,relative; content:!"|00|"; within:256; distance:12; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 2936 NETBIOS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt www.microsoft.com/technet/security/bulletin/ms04-031.asp protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2973 NETBIOS SMB D$ unicode andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 2974 NETBIOS SMB-DS D$ andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2975 NETBIOS SMB-DS D$ unicode andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; 2976 NETBIOS SMB C$ andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; 2977 NETBIOS SMB C$ unicode andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; 2978 NETBIOS SMB-DS C$ andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; 2979 NETBIOS SMB-DS C$ unicode andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 2980 NETBIOS SMB ADMIN$ andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2981 NETBIOS SMB ADMIN$ unicode andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 2982 NETBIOS SMB-DS ADMIN$ andx share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; 2983 NETBIOS SMB-DS ADMIN$ unicode andx share access 9635 protocol-command-decode 2003-0818 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; classtype:protocol-command-decode; 3001 NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 9635 protocol-command-decode 2003-0818 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; classtype:protocol-command-decode; 3002 NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 9635 protocol-command-decode 2003-0818 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; classtype:protocol-command-decode; 3004 NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 9635 protocol-command-decode 2003-0818 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; classtype:protocol-command-decode; 3005 NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 11763 misc-attack 2004-1080 tcp $EXTERNAL_NET any -> $HOME_NET 42 flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; classtype:misc-attack; 3017 EXPLOIT WINS overflow attempt www.microsoft.com/technet/security/bulletin/MS04-045.mspx protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 3040 NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 3041 NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3042 NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3043 NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3044 NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3045 NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3046 NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3047 NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3048 NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3049 NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3050 NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3051 NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3052 NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3053 NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3054 NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3055 NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3056 NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; 3057 NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt 12481 attempted-admin 2005-0050 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; dce_opnum:0; dce_stub_data; byte_test:4,>,52,0,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 3114 NETBIOS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt www.microsoft.com/technet/security/bulletin/ms05-010.mspx 9624 attempted-admin 2003-0825 tcp $EXTERNAL_NET any -> $HOME_NET 137 flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; classtype:attempted-admin; 3195 NETBIOS name query overflow attempt TCP 15912 9624 attempted-admin 2003-0825 udp $EXTERNAL_NET any -> $HOME_NET 137 byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; classtype:attempted-admin; 3196 NETBIOS name query overflow attempt UDP 15912 9624 attempted-admin 2003-0825 tcp $EXTERNAL_NET any -> $HOME_NET 42 flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; classtype:attempted-admin; 3199 EXPLOIT WINS name query overflow attempt TCP 15912 www.microsoft.com/technet/security/bulletin/MS04-006.mspx 9624 attempted-admin 2003-0825 udp $EXTERNAL_NET any -> $HOME_NET 42 flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; classtype:attempted-admin; 3200 EXPLOIT WINS name query overflow attempt UDP 15912 www.microsoft.com/technet/security/bulletin/MS04-006.mspx 8826 attempted-admin 2003-0717 udp $EXTERNAL_NET any -> $HOME_NET 135 content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; classtype:attempted-admin; 3234 NETBIOS Messenger message little endian overflow attempt 8826 attempted-admin 2003-0717 udp $EXTERNAL_NET any -> $HOME_NET 135 content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; classtype:attempted-admin; 3235 NETBIOS Messenger message overflow attempt 6005 attempted-admin 2002-1561 tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 3238 NETBIOS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt www.microsoft.com/technet/security/bulletin/ms03-010.mspx 6005 attempted-admin 2002-1561 udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; content:"|04 00|"; metadata:service dcerpc; classtype:attempted-admin; 3239 NETBIOS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt www.microsoft.com/technet/security/bulletin/ms03-010.mspx attempted-admin 2005-0059 tcp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] flow:established,to_server; dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:9; dce_stub_data; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 3590 NETBIOS DCERPC NCACN-IP-TCP mqqm QMDeleteObject overflow attempt 18027 www.microsoft.com/technet/security/bulletin/MS05-017.mspx attempted-admin 2005-0059 udp $EXTERNAL_NET any -> $HOME_NET [2103,2105,2107] dce_iface:FDB3A030-065F-11D1-BB9B-00A024EA5525; dce_opnum:9; dce_stub_data; content:"|01 00 00 00|"; within:4; distance:4; content:"|03 00 00 00|"; within:4; distance:4; byte_test:4,>,256,8; content:"|04 00|"; metadata:service dcerpc; classtype:attempted-admin; 3591 NETBIOS DCERPC NCADG-IP-UDP mqqm QMDeleteObject overflow attempt 18027 www.microsoft.com/technet/security/bulletin/MS05-017.mspx 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3639 NETBIOS SMB Trans andx data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3640 NETBIOS SMB Trans data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3641 NETBIOS SMB Trans unicode data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3642 NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3643 NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3644 NETBIOS SMB-DS Trans data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3645 NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3646 NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3647 NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3648 NETBIOS-DG SMB Trans data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3649 NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 13504 protocol-command-decode udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; classtype:protocol-command-decode; 3650 NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt www.ethereal.com/news/item_20050504_01.html 10726 attempted-user 2004-0728 tcp $HOME_NET any -> $HOME_NET 2702 flow:to_server,established; content:"RCH0"; fast_pattern:only; content:"RCHE"; nocase; byte_test:2,>,131,-8,relative,little; isdataat:131,relative; classtype:attempted-user; 3673 MISC Microsoft SMS remote control client DoS overly long length attempt 15065 protocol-command-decode 2005-2120 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 4334 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList attempt www.microsoft.com/technet/security/bulletin/ms05-047.mspx 14514 attempted-admin 2005-1984 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:70; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,96,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 4413 NETBIOS DCERPC NCACN-IP-TCP spoolss AddPrinterEx overflow attempt www.microsoft.com/technet/security/bulletin/MS05-043.mspx 15066 attempted-admin 2005-1985 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:43; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,512,4,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 4608 NETBIOS DCERPC NCACN-IP-TCP netware_cs function 43 overflow attempt www.microsoft.com/technet/security/bulletin/MS05-046.mspx protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4651 NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4652 NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4653 NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4654 NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4655 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4656 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4657 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4658 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4659 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC SACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4660 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4661 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4662 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4663 NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4664 NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4665 NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4666 NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4667 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4668 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC andx DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4669 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode DACL overflow attempt protocol-command-decode 2004-1154 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4670 NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4671 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC DACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4672 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4673 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt protocol-command-decode 2004-1154 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; classtype:protocol-command-decode; 4674 NETBIOS-DG SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt 15460 protocol-command-decode 2005-3644 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:7; dce_stub_data; byte_test:4,>,256,0,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 4826 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetRootDeviceInstance attempt www.microsoft.com/technet/security/advisory/911052.mspx 15460 protocol-command-decode 2005-3644 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:10; dce_stub_data; byte_test:4,>,256,4,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 4918 NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_GetDeviceList dos attempt www.microsoft.com/technet/security/advisory/911052.mspx 10108 protocol-command-decode 2003-0533 udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:0; content:"|04 00|"; metadata:service netbios-dgm; classtype:protocol-command-decode; 5096 NETBIOS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:protocol-command-decode; 529 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt 1163 attempted-recon 2000-0347 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; classtype:attempted-recon; 530 NETBIOS NT NULL session protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 532 NETBIOS SMB ADMIN$ share access protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; 533 NETBIOS SMB C$ share access attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|5C|../|00 00 00|"; classtype:attempted-recon; 534 NETBIOS SMB CD.. attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|5C|...|00 00 00|"; classtype:attempted-recon; 535 NETBIOS SMB CD... protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; 536 NETBIOS SMB D$ share access 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; classtype:protocol-command-decode; 5678 NETBIOS SMB-DS Session Setup username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; classtype:protocol-command-decode; 5679 NETBIOS SMB-DS Session Setup unicode username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; classtype:protocol-command-decode; 5680 NETBIOS-DG SMB Session Setup username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; classtype:protocol-command-decode; 5681 NETBIOS-DG SMB Session Setup unicode username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; classtype:protocol-command-decode; 5683 NETBIOS-DG SMB Session Setup andx username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 9752 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; classtype:protocol-command-decode; 5684 NETBIOS-DG SMB Session Setup unicode andx username overflow attempt www.eeye.com/html/Research/Advisories/AD20040226.html 5556 protocol-command-decode 2002-0724 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5717 NETBIOS SMB-DS Trans Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5719 NETBIOS-DG SMB Trans Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 122 attempted-dos 1999-0003 tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; metadata:service sunrpc; classtype:attempted-dos; 572 RPC DOS ttdbserv Solaris 5556 protocol-command-decode 2002-0724 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5720 NETBIOS-DG SMB Trans unicode Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5721 NETBIOS SMB Trans andx Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5722 NETBIOS SMB Trans unicode andx Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5723 NETBIOS SMB-DS Trans andx Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5724 NETBIOS SMB-DS Trans unicode andx Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5725 NETBIOS-DG SMB Trans andx Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 5556 protocol-command-decode 2002-0724 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00 00 00|"; within:4; distance:5; classtype:protocol-command-decode; 5726 NETBIOS-DG SMB Trans unicode andx Max Param/Count DOS attempt 11110 www.microsoft.com/technet/security/bulletin/MS02-045.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5727 NETBIOS SMB Trans unicode Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5728 NETBIOS-DG SMB Trans Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5729 NETBIOS SMB Trans Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5730 NETBIOS SMB-DS Trans Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5731 NETBIOS SMB-DS Trans unicode Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5732 NETBIOS-DG SMB Trans unicode Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5733 NETBIOS SMB Trans unicode andx Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5734 NETBIOS-DG SMB Trans andx Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5735 NETBIOS SMB Trans andx Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5736 NETBIOS SMB-DS Trans andx Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5737 NETBIOS SMB-DS Trans unicode andx Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx 13942 protocol-command-decode 2005-1206 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:2,>,4376,5,relative,little; classtype:protocol-command-decode; 5738 NETBIOS-DG SMB Trans unicode andx Max Param DOS attempt 18483 www.microsoft.com/technet/security/bulletin/MS05-027.mspx attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:attempted-recon; 574 RPC mountd TCP export request rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 575 RPC portmap admind request UDP 614 rpc-portmap-decode 1999-0704 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 576 RPC portmap amountd request UDP rpc-portmap-decode 1999-0647 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 577 RPC portmap bootparam request UDP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 578 RPC portmap cmsd request UDP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 579 RPC portmap mountd request UDP rpc-portmap-decode 1999-0008 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 580 RPC portmap nisd request UDP 4816 rpc-portmap-decode 2002-0910 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 581 RPC portmap pcnfsd request UDP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 582 RPC portmap rexd request UDP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 583 RPC portmap rstatd request UDP rpc-portmap-decode 1999-0626 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 584 RPC portmap rusers request UDP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 585 RPC portmap sadmind request UDP 8 rpc-portmap-decode 1999-0209 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 586 RPC portmap selection_svc request UDP rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 587 RPC portmap status request UDP 3382 rpc-portmap-decode 2001-0717 udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 588 RPC portmap ttdbserv request UDP www.cert.org/advisories/CA-2001-05.html rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET 111 content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 589 RPC portmap yppasswd request UDP 6016 rpc-portmap-decode 2002-1232 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; 590 RPC portmap ypserv request UDP 1749 rpc-portmap-decode 1999-0208 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 591 RPC portmap ypupdated request TCP 2714 rpc-portmap-decode 2001-0331 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 595 RPC portmap espd request TCP rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 598 RPC portmap listing TCP 111 rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET 32771 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 599 RPC portmap listing TCP 32771 attempted-recon 1999-0626 udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-recon; 612 RPC rusers query UDP 18325 attempted-admin 2006-2370 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:12; dce_stub_data; byte_test:4,>,8192,4,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 6584 NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt www.microsoft.com/technet/security/bulletin/MS06-025.mspx 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6702 NETBIOS SMB NT Trans Secondary Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6703 NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6704 NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6705 NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt 7106 protocol-command-decode 2003-0085 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6706 NETBIOS-DG SMB NT Trans Secondary Param Count overflow attempt 7106 protocol-command-decode 2003-0085 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6707 NETBIOS-DG SMB NT Trans Secondary unicode Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6708 NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6709 NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6710 NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt 7106 protocol-command-decode 2003-0085 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6711 NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt 7106 protocol-command-decode 2003-0085 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6712 NETBIOS-DG SMB NT Trans Secondary andx Param Count overflow attempt 7106 protocol-command-decode 2003-0085 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; classtype:protocol-command-decode; 6713 NETBIOS-DG SMB NT Trans Secondary unicode andx Param Count overflow attempt 18358 attempted-admin 2006-2371 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:20610036-fa22-11cf-9823-00a0c911e5df; dce_opnum:10; dce_stub_data; pcre:"/^.{68}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,258,0,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 6810 NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSetUserPreferences area/country overflow attempt www.microsoft.com/technet/security/bulletin/MS06-025.mspx 18864 protocol-command-decode 2006-3942 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:"|01 00 00 00|"; within:4; distance:1; content:!"|00|"; within:25; distance:4; metadata:service netbios-dgm; classtype:protocol-command-decode; 7037 NETBIOS-DG SMB Trans mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 18864 protocol-command-decode 2006-3942 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:service netbios-dgm; classtype:protocol-command-decode; 7038 NETBIOS-DG SMB Trans unicode mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 18864 protocol-command-decode 2006-3942 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03|"; within:1; distance:27; content:!"|00 00|"; within:50; distance:9; metadata:service netbios-dgm; classtype:protocol-command-decode; 7042 NETBIOS-DG SMB Trans unicode andx mailslot heap overflow attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-admin 2006-2372 udp any any -> any 68 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|7196; 7196 EXPLOIT Microsoft DHCP option overflow attempt www.microsoft.com/technet/security/Bulletin/MS06-036.mspx 19417 attempted-user 2006-3643 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"res|3A|//mmcndmgr.dll"; classtype:attempted-user; 7422 EXPLOIT Microsoft MMC mmcndmgr.dll cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms06-044.mspx 19417 attempted-user 2006-3643 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"res|3A|//mmc.exe"; classtype:attempted-user; 7423 EXPLOIT Microsoft MMC mmc.exe cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms06-044.mspx 19417 attempted-user 2006-3643 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"res|3A|//createcab.cmd"; classtype:attempted-user; 7424 EXPLOIT Microsoft MMC createcab.cmd cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms06-044.mspx 16636 attempted-admin 2006-0013 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:C8CB7687-E6D3-11D2-A958-00C04F682E16; dce_opnum:0; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 8157 NETBIOS DCERPC NCACN-IP-TCP webdav DavrCreateConnection hostname overflow attempt www.microsoft.com/technet/security/bulletin/MS06-008.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8449 NETBIOS SMB Rename invalid buffer type andx attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8450 NETBIOS SMB Rename invalid buffer type attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8451 NETBIOS SMB Rename invalid buffer type unicode andx attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8452 NETBIOS SMB Rename invalid buffer type unicode attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8453 NETBIOS SMB-DS Rename invalid buffer type andx attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8454 NETBIOS SMB-DS Rename invalid buffer type attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8455 NETBIOS SMB-DS Rename invalid buffer type unicode andx attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8456 NETBIOS SMB-DS Rename invalid buffer type unicode attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8457 NETBIOS-DG SMB Rename invalid buffer type andx attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8458 NETBIOS-DG SMB Rename invalid buffer type attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|07|"; depth:1; offset:39; byte_jump:2,0,little,relative; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8459 NETBIOS-DG SMB Rename invalid buffer type unicode andx attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx attempted-dos 2006-4696 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|07|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; pcre:"/^.{5}([^\x03\x04]|.[^\x00]+\x00\x00[^\x03\x04])/Rs"; classtype:attempted-dos; 8460 NETBIOS-DG SMB Rename invalid buffer type unicode attempt www.microsoft.com/technet/security/bulletin/MS06-063.mspx 9011 attempted-admin 2003-0812 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:27; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,256,4,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 8925 NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt 11921 www.microsoft.com/technet/security/bulletin/MS03-049.mspx attempted-admin 2006-4689 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:9; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,128,0,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 9132 NETBIOS DCERPC NCACN-IP-TCP netware_cs NwrOpenEnumNdsStubTrees_Any overflow attempt www.microsoft.com/technet/security/bulletin/MS06-066.mspx attempted-admin 2006-4689 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:e67ab081-9844-3521-9d32-834f038001c0; dce_opnum:1; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,128,4,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 9228 NETBIOS DCERPC NCACN-IP-TCP netware_cs NwGetConnectionInformation overflow attempt www.microsoft.com/technet/security/bulletin/MS06-066.mspx 13951 attempted-user 2005-1213 tcp $EXTERNAL_NET 119 -> $HOME_NET any flow:established,to_client; content:"215 "; depth:4; content:"|0D 0A|"; distance:0; content:" "; distance:0; pcre:"/^[^\s\x00]{16}/R"; classtype:attempted-user; 9431 EXPLOIT Microsoft NNTP response overflow attempt www.microsoft.com/technet/security/bulletin/ms05-030.mspx 21034 attempted-user 2006-3445 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|C4 AB CD AB|"; byte_test:4,<,500,0,relative,little; classtype:attempted-user; 9432 WEB-CLIENT Microsoft Agent buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms06-068.mspx 20365 attempted-admin 2006-5143 tcp $EXTERNAL_NET any -> $HOME_NET 6503 flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:43; dce_stub_data; isdataat:672,relative; content:!"|00|"; within:672; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 9441 NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath overflow attempt www.lssec.com/advisories/LS-20060313.pdf 20941 attempted-user 2006-5780 tcp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:8; byte_test:4,>,255,8,relative; isdataat:264,relative; metadata:service sunrpc; classtype:attempted-user; 9623 RPC UNIX authentication machinename string overflow attempt TCP 20941 attempted-user 2006-5780 udp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:8; byte_test:4,>,255,8,relative; isdataat:264,relative; metadata:service sunrpc; classtype:attempted-user; 9624 RPC UNIX authentication machinename string overflow attempt UDP attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] flow:established,to_server; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:1; dce_stub_data; byte_test:4,>,128,20,relative,dce; content:"|05 00 00|"; metadata:service dcerpc; classtype:attempted-admin; 9772 NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 overflow attempt attempted-admin udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:1; dce_stub_data; byte_test:4,>,128,20,relative,dce; content:"|04 00|"; metadata:service dcerpc; classtype:attempted-admin; 9773 NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt 14518 attempted-admin 2005-0058 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; dce_iface:2f5f6520-ca46-1067-b319-00dd010662da; dce_opnum:1; dce_stub_data; content:"E|00 00 00|"; within:4; distance:32; byte_test:4,>,1024,-16,relative,dce; content:"|05 00 00|"; metadata:service netbios-ssn; classtype:attempted-admin; 9914 NETBIOS DCERPC NCACN-IP-TCP tapisrv ClientRequest LSetAppPriority overflow attempt www.microsoft.com/technet/Security/bulletin/ms05-040.mspx 33113 attempted-admin 2009-0065 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:132; content:"|C0 00|"; depth:2; offset:12; byte_test:2,>,500,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15490 EXPLOIT Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt 31133 attempted-dos 2008-3915 udp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server; content:"|00 00 00 22|"; content:"|00 00 00 01 00 00 10 00 00 00 03|D|00 00 00 1A|"; within:16; distance:16; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16352 EXPLOIT Linux Kernel NFSD Subsystem overflow attempt shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17324 SHELLCODE x86 Linux reverse connect shellcode 18081 attempted-dos 2006-2444 udp $EXTERNAL_NET any -> $HOME_NET 161 content:"|01 04|"; depth:2; offset:4; byte_jump:1,0,relative; content:"|A4 02 61 61|"; within:4; metadata:policy security-ips drop; classtype:attempted-dos; 17738 SPECIFIC-THREATS Linux Kernel SNMP Netfilter Memory Corruption attempt 120 OS / Linux attempted-user tcp $EXTERNAL_NET any -> $HOME_NET 6000 flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only; metadata:service x11; classtype:attempted-user; 1225 X11 MIT Magic Cookie detected unknown tcp $EXTERNAL_NET any -> $HOME_NET 6000 flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:service x11; classtype:unknown; 1226 X11 xopen 30704 denial-of-service 2008-3276 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:33; content:" "; depth:1; offset:29; byte_test:1,<,4,0,relative; classtype:denial-of-service; 15906 EXPLOIT Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt 30704 denial-of-service 2008-3276 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:33; content:"|22|"; depth:1; offset:29; byte_test:1,<,4,0,relative; classtype:denial-of-service; 15907 EXPLOIT Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt 39794 attempted-admin 2010-1173 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:132; content:"|01|"; depth:1; offset:12; byte_test:2,>,0xC000,19,relative; pcre:!"/^.{19}\xC0[\x05\x06\x09\x0B\x0C]/sR"; byte_jump:2,21,relative,align,post_offset -4; byte_test:2,>,0xC000,0,relative; pcre:!"/^\xC0[\x05\x06\x09\x0B\x0C]/R"; classtype:attempted-admin; 16724 EXPLOIT Linux kernel sctp_process_unk_param SCTPChunkInit buffer overflow attempt 24376 attempted-dos 2007-2876 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:132; dsize:>12; byte_test:1,>,14,12; classtype:attempted-dos; 17302 DOS Linux kernel SCTP Unknown Chunk Types denial of service attempt attempted-admin tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; 213 BACKDOOR MISC Linux rootkit attempt attempted-admin tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; 214 BACKDOOR MISC Linux rootkit attempt lrkr0x attempted-admin tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; 215 BACKDOOR MISC Linux rootkit attempt attempted-admin tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 flow:to_server,established; content:"satori"; classtype:attempted-admin; 216 BACKDOOR MISC Linux rootkit satori attempt 536 attempted-admin 1999-0811 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; classtype:attempted-admin; 292 EXPLOIT x86 Linux samba overflow 1712 attempted-admin 2000-0917 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"XXXX%.172u%300|24|n"; classtype:attempted-admin; 302 EXPLOIT Redhat 7.0 lprd overflow 210 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 518 flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; classtype:attempted-admin; 313 EXPLOIT ntalkd x86 Linux overflow 121 attempted-admin 1999-0002 udp $EXTERNAL_NET any -> $HOME_NET 635 flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; classtype:attempted-admin; 315 EXPLOIT x86 Linux mountd overflow 121 attempted-admin 1999-0002 udp $EXTERNAL_NET any -> $HOME_NET 635 flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; classtype:attempted-admin; 316 EXPLOIT x86 Linux mountd overflow 121 attempted-admin 1999-0002 udp $EXTERNAL_NET any -> $HOME_NET 635 flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; classtype:attempted-admin; 317 EXPLOIT x86 Linux mountd overflow bad-unknown tcp $EXTERNAL_NET any -> $HOME_NET 513 flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; classtype:bad-unknown; 601 RSERVICES rlogin LinuxNIS shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; classtype:shellcode-detect; 652 SHELLCODE Linux shellcode 18755 attempted-dos 2006-2934 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:132; dsize:12; classtype:attempted-dos; 7021 DOS linux kernel SCTP chunkless packet denial of service attempt 12491 attempted-admin 2005-0260 udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|B0 8E 80 23|"; content:!"|00|"; within:1399; isdataat:1400; metadata:policy security-ips drop; classtype:attempted-admin; 10134 SPECIFIC-THREATS CA Brightstor discovery service buffer overflow attempt 23556 attempted-admin 2007-2171 tcp $EXTERNAL_NET any -> $HOME_NET 7205:7211 flow:established,to_server; content:"Authorization"; nocase; content:"Basic"; distance:0; nocase; pcre:"/Authorization\s*\x3A\s*Basic\s*[^\n]{437}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 10998 EXPLOIT Novell GroupWise WebAccess authentication overflow 23047 attempted-dos 2007-1542 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"INVITE"; depth:6; nocase; content:"Remote-Party-Id"; nocase; content:"csip|3A|"; distance:0; nocase; pcre:"/Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 11970 VOIP-SIP Cisco 7940/7960 INVITE Remote-Party-ID denial of service attempt www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml 27313 attempted-admin 2008-0027 tcp $EXTERNAL_NET any -> $HOME_NET 2444 flow:established,to_server; content:"|17 03 01|"; depth:3; byte_test:2,>,16383,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13363 EXPLOIT Cisco Unified Communications Manager heap overflow attempt attempted-admin 2001-0797 tcp $EXTERNAL_NET any -> $HOME_NET 23 flow:established,to_server; content:"c c c c c c c c c"; metadata:policy security-ips drop, service telnet; classtype:attempted-admin; 13613 SPECIFIC-THREATS Solaris username overflow authentication bypass attempt 16870 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"isComponentInstalled|28|boom"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13912 SPECIFIC-THREATS isComponentInstalled Metasploit attack attempt attempted-user 2008-4479 tcp $EXTERNAL_NET any -> $HOME_NET [8030,8028,8008,8010] flow:to_server,established; content:"Accept-Language|3A|"; nocase; pcre:"/^Accept\x2dLanguage\x3a\s*(\w{1,36}\s*(\x2e|\x2d|\x3b|\x3d|\x2c)\s*)*[^\x2d\x3b\x2c\x3d\n]{37}/smi"; metadata:policy security-ips drop; classtype:attempted-user; 14989 WEB-MISC Novell eDirectory SOAP Accept Language header overflow attempt 31553 attempted-admin 2008-5094 tcp $EXTERNAL_NET any -> $HOME_NET [8008,8028] flow:to_server,established; content:"/nds"; nocase; content:"Accept-Language"; distance:0; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Accept-Language\s*\x3a\s*([^\r\n]*?\x2c){20}/mi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 15446 WEB-MISC Novell eDirectory management console Accept-Language buffer overflow attempt download.novell.com/Download?buildid=Cf15mVyA3GI~ 13678 attempted-admin 2005-1543 tcp $EXTERNAL_NET any -> $HOME_NET 1761 flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative,big; byte_jump:2,0,relative,big; byte_jump:2,0,relative,big; content:"|00 01 00 02|"; within:4; distance:2; byte_test:2,>,28,0,relative; metadata:policy security-ips drop; classtype:attempted-admin; 15958 WEB-MISC Novell ZENworks Remote Management overflow attempt attempted-user 2006-2327 tcp $EXTERNAL_NET any -> $HOME_NET 3017 flow:to_server,established; content:"|01 8F 9C 19 00 00 00 0C|SLAWEKSERVER"; metadata:policy security-ips drop; classtype:attempted-user; 16019 SPECIFIC-THREATS Novell Distributed Print Services integer overflow attempt attempted-user 2008-4478 tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] flow:to_server,established; content:"POST /SOAP"; depth:10; nocase; pcre:"/^Content-Length\s*\x3A\s*[1-9][0-9]{8}/mi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16194 WEB-MISC Novell eDirectory HTTP request content-length heap buffer overflow attempt attempted-user 2008-4478 tcp $EXTERNAL_NET any -> $HOME_NET [8008,8010,8028,8030] flow:to_server,established; content:"POST /SOAP"; depth:10; nocase; pcre:"/^Content-Length\s*\x3A\s*/mi"; content:"-"; within:1; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16195 WEB-MISC Novell eDirectory HTTP request content-length heap buffer overflow attempt 37672 attempted-admin 2009-4486 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"GET"; nocase; http_method; content:"/nps/servlet/"; nocase; http_uri; content:"taskId=base.ExtendSchema"; nocase; http_uri; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16429 WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - GET request 37672 attempted-admin 2009-4486 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"POST"; nocase; http_method; content:"/nps/servlet/"; nocase; http_uri; content:"taskId=base.ExtendSchema"; nocase; http_uri; pcre:"/(((DestFile|encryptPass)\x3D[^\x26]{50})|((BaseDN|SearchFilter)\x3D[^\x26]{128}))/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16430 WEB-MISC Novell iManager eDirectory plugin schema buffer overflow attempt - POST request web-application-attack 2009-0611 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server, established; content:"AdminServlet"; nocase; http_uri; pcre:"/AdminServlet.*(userid|adminurl)[^\x26\x20\x0a]*<script/smiU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 16522 WEB-CLIENT Novell QuickFinder server cross-site-scripting attempt 36698 attempted-user 2009-3031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<object classid='clsid|3A|B44D252D-98FC-4D5C-948C-BE868392A004'"; fast_pattern:only; nocase; content:"=String|28|310,|22|A|22 29|"; distance:0; content:"=unescape"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16587 SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities buffer overflow attempt 37092 attempted-user 2009-3033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|2E|RunCMD|28|"; fast_pattern:only; nocase; content:"catch|28| e |29 20 7B| window|2E|location|20 3D|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16787 SPECIFIC-THREATS Symantec multiple products AeXNSConsoleUtilities RunCMD buffer overflow attempt 34400 attempted-admin 2009-1350 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|02 00 00 00 FF FF FF FF|PPPPAAAA"; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-admin; 17057 SPECIFIC-THREATS Novell Client NetIdentity Agent remote arbitrary pointer dereference code execution attempt 20364 attempted-user 2006-5143 tcp $EXTERNAL_NET 41523 -> $HOME_NET any flow:to_client,established; flowbits:isnotset,CA.response; flowbits:set,CA.response; flowbits:noalert; content:"TESTTESTTESTTESTTESTTESTTEST"; fast_pattern:only; isdataat:990; metadata:policy security-ips drop; classtype:attempted-user; 17620 SPECIFIC-THREATS Products Discovery Service Buffer Overflow 20364 attempted-user 2006-5143 tcp $EXTERNAL_NET 41523 -> $HOME_NET any flow:to_client,established; flowbits:isnotset,CA.response; flowbits:set,CA.response; flowbits:noalert; content:"|9B 17 F6 4A 1D 01 E7 52 11 C3 61 7B 9B B0 62 52|"; fast_pattern:only; isdataat:990; metadata:policy security-ips drop; classtype:attempted-user; 17621 SPECIFIC-THREATS Products Discovery Service Buffer Overflow misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| OSSProxy"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5760 SPYWARE-PUT Hijacker marketscore runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=43974 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mdh/adcr2.aspx"; fast_pattern; nocase; http_uri; content:"API="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"TZ="; nocase; http_uri; content:"LC="; nocase; http_uri; content:"APL="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5798 SPYWARE-PUT Adware mydailyhoroscope runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207 misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"07637823-C894-4A52-B3F9-5D77FD8E36A"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07637823-C894-4A52-B3F9-5D77FD8E36A/si"; metadata:policy security-ips drop; classtype:misc-activity; 5799 SPYWARE-PUT mydailyhoroscope update or installation in progress www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/a/Corr.sen?StubName=conscorr"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| Stubby"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 5834 SPYWARE-PUT Trickler conscorr runtime detection www.spywareguide.com/product_show.php?id=1034 trojan-activity tcp $HOME_NET 800: -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"disconnect"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6017 BACKDOOR dsk lite 1.0 runtime detection - disconnect www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866 successful-recon-limited udp $EXTERNAL_NET any -> 255.255.255.255 15164 flow:to_server; content:"|00|]B|00 0A 02 08 FE 01 FC 12 00|"; depth:12; metadata:policy security-ips alert; classtype:successful-recon-limited; 6384 SPYWARE-PUT Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982 16870 attempted-user 2006-1016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"isComponentInstalled"; nocase; isdataat:256,relative; pcre:"/isComponentInstalled\s*\([^,\)]{256}/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7020 WEB-CLIENT isComponentInstalled function buffer overflow trojan-activity tcp $HOME_NET 7250 -> $EXTERNAL_NET any flow:from_server,established; content:"DTS-300|0D 0A|"; depth:9; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7720 BACKDOOR desktop scout runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074737 14662 web-application-attack 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/freeIPaddrs.ovpl"; nocase; http_uri; content:"netid="; nocase; http_uri; pcre:"/freeIPaddrs.ovpl[^\r\n]*netid=[^\r\n]*(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 8090 WEB-MISC HP Openview NNM freeIPaddrs.ovpl Unix command execution attempt 21502 attempted-admin 2006-6379 udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|9B|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy security-ips drop; classtype:attempted-admin; 9635 EXPLOIT Computer Associates Product Discovery Service type 9B remote buffer overflow attempt UDP 130 OS / Other 14510 misc-attack 2005-4797 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; flowbits:isset,lp.controlfile; content:"|02|"; depth:1; content:"dfA"; nocase; pcre:"/^\x02\d+ dfA/smi"; classtype:misc-attack; 10418 EXPLOIT lpd Solaris unlink file attempt 908 attempted-recon 1999-0744 tcp $EXTERNAL_NET any -> $HOME_NET 457 flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:service http; classtype:attempted-recon; 1132 WEB-MISC Netscape Unixware overflow 879 attempted-recon 1999-1006 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/GWWEB.EXE"; nocase; metadata:service http; classtype:attempted-recon; 1165 WEB-MISC Novell Groupwise gwweb.exe access 10877 24002 attempted-admin 2007-1173 tcp $EXTERNAL_NET any -> $HOME_NET 5003 flow:established,to_server; content:"|ED ED|"; depth:2; offset:2; content:!"|ED|"; depth:1; isdataat:1176; content:!"|00|"; depth:976; offset:200; classtype:attempted-admin; 11670 EXPLOIT Symantec Discovery logging buffer overflow 14510 misc-attack 2005-4797 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|0A|U"; content:"../.."; fast_pattern:only; content:"|0A|"; classtype:misc-attack; 12080 EXPLOIT Sun Solaris printd arbitrary file deletion vulnerability attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/.nsconfig"; http_uri; metadata:service http; classtype:attempted-recon; 1209 WEB-MISC .nsconfig access www.osvdb.org/5709 22857 attempted-admin 2007-1350 tcp $EXTERNAL_NET any -> $HOME_NET 89 flow:to_server,established; content:"POST /f"; depth:8; content:"username="; content:!"&"; within:80; classtype:attempted-admin; 12223 EXPLOIT Novell WebAdmin long user name 25238 attempted-user 2007-4286 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:47; content:" |01|"; depth:2; offset:2; content:"|FF FF|"; depth:2; offset:14; classtype:attempted-user; 12299 EXPLOIT Cisco NHRP incorrect packet size 25238 attempted-user 2007-4286 ip $EXTERNAL_NET any -> $HOME_NET any ip_proto:54; content:"|FF FF|"; depth:2; offset:10; classtype:attempted-user; 12300 EXPLOIT Cisco NHRP incorrect packet size 2936 web-application-attack 2001-0537 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:service http; classtype:web-application-attack; 1250 WEB-MISC Cisco IOS HTTP configuration attempt 10700 20663 attempted-admin 2006-4509 tcp any any -> $HOME_NET 389 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13510; 13510 EXPLOIT Novell eDirectory EventsRequest heap overflow attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=427 20663 attempted-admin 2006-4510 tcp any any -> $HOME_NET 389 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13511; 13511 EXPLOIT Novell eDirectory EventsRequest invalid event count exploit attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=428 attempted-admin 2005-0260 tcp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server,established; content:"|99 99 99 99 99 99 99 99 99 99|"; pcre:"/\x99{40}\xeb\x12\x01\x99{4}\x18A{5}.{4}A{6}/sm"; classtype:attempted-admin; 13620 SPECIFIC-THREATS CA Brightstor discovery service alternate buffer overflow attempt web-application-activity tcp $EXTERNAL_NET any -> $HOME_NET 8888 flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:service http; classtype:web-application-activity; 1499 WEB-MISC SiteScope Service access 10778 attempted-user 2008-4479 tcp $EXTERNAL_NET any -> $HOME_NET [8030,8028,8008,8010] flow:to_server,established; content:"Accept-Charset|3A|"; nocase; pcre:"/^Accept\x2dCharset\x3a\s*([^\x3b\x3d\x2c]{1,36}\s*(\x2d|\x3b|\x3d|\x2c)\s*)*[^\x2d\x3b\x2c\x3d\n]{37}/smi"; classtype:attempted-user; 14990 WEB-MISC Novell eDirectory SOAP Accept Charset header overflow attempt 1846 web-application-activity 2000-0945 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/exec/show/config/cr"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1544 WEB-MISC Cisco Catalyst command execution attempt 10545 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; 1545 DOS Cisco attempt attempted-dos 2005-1729 tcp $EXTERNAL_NET any -> $HOME_NET 8008 flow:to_server,established; content:"GET /COM1"; depth:9; metadata:service http; classtype:attempted-dos; 15960 SPECIFIC-THREATS Novell eDirectory MS-DOS device name DoS attempt 30175 attempted-admin 2008-1809 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15973; 15973 EXPLOIT Novell eDirectory LDAP null search parameter buffer overflow attempt www.novell.com/support/viewContent.do?externalId=3843876 28757 attempted-dos 2008-0927 tcp $EXTERNAL_NET any -> $HOME_NET [8008,8028] flow:to_server,established; content:"Connection"; fast_pattern:only; pcre:"/^Connection\s*\x3a\s*\S+(.*^Connection\s*\x3a\s*\S+|[^\n]*\x2c\s*\S+).*\n\r?\n/msi"; metadata:service http; classtype:attempted-dos; 16014 DOS Novell eDirectory HTTP headers denial of service attempt 879 attempted-recon 1999-1006 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/GWWEB.EXE?HELP="; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1614 WEB-MISC Novell Groupwise gwweb.exe attempt 10877 policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabscotti71i.ru"; nocase; classtype:policy-violation; 16950 PHISHING-SPAM tabscotti71i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"scoreenjoy.ru"; nocase; classtype:policy-violation; 17027 PHISHING-SPAM scoreenjoy.ru known spam email attempt 15602 attempted-dos 2005-3921 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"href|3D 22 2E 2F 2E 2E 2F 2E 2F 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2F|"; classtype:attempted-dos; 17287 WEB-MISC Cisco IOS HTTP service HTML injection attempt 14510 misc-attack 2005-4797 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; flowbits:isset,lp.controlfile; content:"|0A 55|"; content:"|2F|"; distance:0; classtype:misc-attack; 17353 EXPLOIT Sun Solaris printd Daemon Arbitrary File Deletion attempt 14687 attempted-user 2005-2870 udp $EXTERNAL_NET 67 -> $HOME_NET 68 content:"|63 82 53 63|"; content:"|35 01 05|"; distance:0; fast_pattern; content:"|0F|"; distance:0; content:"|20|"; within:100; classtype:attempted-user; 17433 EXPLOIT Sun Solaris DHCP Client Arbitrary Code Execution attempt 21395 attempted-admin 2006-6299 tcp $EXTERNAL_NET any -> $HOME_NET [7460,7461,7465] flow:to_server,established; content:"|FF FF FF FF|"; depth:4; offset:59; classtype:attempted-admin; 17504 EXPLOIT Novell ZENworks Asset Management buffer overflow attempt 21725 attempted-admin 2006-6424 tcp $EXTERNAL_NET any -> $HOME_NET [689,1001] flow:established,to_server; content:"STOR "; depth:5; nocase; isdataat:128,relative; content:!"|00|"; within:128; classtype:attempted-admin; 17713 EXPLOIT Novell NetMail NMAP STOR buffer overflow attempt 4794 misc-attack 2002-0882 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/StreamingStatistics"; http_uri; metadata:service http; classtype:misc-attack; 1814 WEB-MISC CISCO VoIP DOS ATTEMPT 11013 691 misc-attack 1999-0158 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pixfir~1/how_to_login.html"; http_uri; metadata:service http; classtype:misc-attack; 1858 WEB-MISC CISCO PIX Firewall Manager directory traversal attempt 10819 attempted-user tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 flow:to_server,established; content:"friday"; classtype:attempted-user; 218 BACKDOOR MISC Solaris 2.5 attempt 2319 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 2766 flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; classtype:attempted-admin; 300 EXPLOIT nlps x86 Solaris overflow 2353 attempted-admin 2000-0306 tcp $EXTERNAL_NET any -> $HOME_NET 6373 flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; classtype:attempted-admin; 304 EXPLOIT SCO calserver overflow 4798 web-application-activity 2002-0882 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/PortInformation"; http_uri; metadata:service http; classtype:web-application-activity; 3467 WEB-MISC CISCO VoIP Portinformation access 3274 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; classtype:attempted-admin; 3527 EXPLOIT Solaris LPD overflow attempt 14548 attempted-admin 2005-2551 tcp $EXTERNAL_NET any -> $HOME_NET [8008,8028] flow:to_server,established; content:"/nds/"; pcre:"/\x2fnds\x2f[^&\r\n\x3b]{500}/smi"; classtype:attempted-admin; 4127 EXPLOIT Novell eDirectory Server iMonitor overflow attempt 13678 attempted-dos 2005-1543 tcp $EXTERNAL_NET any -> $HOME_NET 1761 flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_test:2,>,1499,0,relative; classtype:attempted-dos; 4129 EXPLOIT Novell ZenWorks Remote Management Agent large login packet DoS attempt 13678 attempted-dos 2005-1543 tcp $EXTERNAL_NET any -> $HOME_NET 1761 flow:to_server,established; content:"|00 01|"; depth:2; offset:16; byte_jump:2,0,relative; byte_jump:2,0,relative; byte_jump:2,0,relative; content:"|00 01 00 01 00 02|"; within:6; isdataat:30,relative; byte_test:2,>,28,0,relative; classtype:attempted-dos; 4130 EXPLOIT Novell ZenWorks Remote Management Agent buffer overflow Attempt misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; flowbits:isset,lp.cascade; content:"|02|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; flowbits:noalert; classtype:misc-attack; 4144 EXPLOIT lpd Solaris control file upload attempt shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; classtype:shellcode-detect; 640 SHELLCODE AIX NOOP shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; classtype:shellcode-detect; 641 SHELLCODE Digital UNIX NOOP 17503 attempted-admin 2006-0992 tcp $EXTERNAL_NET any -> $HOME_NET 8300 flow:to_server,established; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\x3A[^\r\n]{17}/smi"; metadata:service http; classtype:attempted-admin; 6414 WEB-MISC Novell GroupWise Messenger Accept-Language header buffer overflow attempt 18026 attempted-admin 2006-2496 tcp $EXTERNAL_NET any -> $HOME_NET 8028 flow:to_server,established; content:"/nds"; nocase; http_uri; pcre:"/\x2fnds[^\r\n]{1000}/Usmi"; metadata:service http; classtype:attempted-admin; 6507 WEB-MISC novell edirectory imonitor overflow attempt network-scan tcp $EXTERNAL_NET any -> $HOME_NET 5000 flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; classtype:network-scan; 8081 SCAN UPnP service discover attempt 14662 web-application-attack 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET 3443 flow:to_server,established; content:"/connectedNodes.ovpl"; nocase; http_uri; content:"node="; nocase; http_uri; pcre:"/connectedNodes.ovpl[^\r\n]*node=[^\r\n]*(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi"; metadata:service http; classtype:web-application-attack; 8085 WEB-MISC HP Openview NNM connectedNodes.ovpl port 3443 Unix command execution attempt 14662 web-application-attack 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET 3443 flow:to_server,established; content:"/cdpView.ovpl"; nocase; http_uri; content:"cdpnode="; nocase; http_uri; pcre:"/cdpView.ovpl[^\r\n]*cdpnode=[^\r\n]*%(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi"; metadata:service http; classtype:web-application-attack; 8086 WEB-MISC HP Openview NNM cdpView.ovpl port 3443 Unix command execution attempt 14662 web-application-attack 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET 3443 flow:to_server,established; content:"/freeIPaddrs.ovpl"; nocase; http_uri; content:"netid="; nocase; http_uri; pcre:"/freeIPaddrs.ovpl[^\r\n]*netid=[^\r\n]*%(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi"; metadata:service http; classtype:web-application-attack; 8087 WEB-MISC HP Openview NNM freeIPaddrs.ovpl port 3443 Unix command execution attempt 14662 web-application-attack 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/connectedNodes.ovpl"; nocase; http_uri; content:"node="; nocase; http_uri; pcre:"/connectedNodes.ovpl[^\r\n]*node=[^\r\n]*(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi"; metadata:service http; classtype:web-application-attack; 8088 WEB-MISC HP Openview NNM connectedNodes.ovpl Unix command execution attempt 14662 web-application-attack 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/cdpView.ovpl"; nocase; http_uri; content:"cdpnode="; nocase; http_uri; pcre:"/cdpView.ovpl[^\r\n]*cdpnode=[^\r\n]*(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi"; metadata:service http; classtype:web-application-attack; 8089 WEB-MISC HP Openview NNM cdpView.ovpl Unix command execution attempt 20655 attempted-admin 2006-5478 tcp $EXTERNAL_NET any -> $HOME_NET 8028 flow:established,to_server; content:"Host|3A|"; nocase; isdataat:63,relative; content:!"|0A|"; within:63; pcre:"/^(GET|POST)\s+[^\s]*(\x2fnds|\x2fdhost)[^\n]*\nHost\x3a\s*[^\n]{63}/i"; metadata:service http; classtype:attempted-admin; 8711 WEB-MISC Novell eDirectory HTTP redirection buffer overflow attempt 21502 attempted-admin 2006-6379 tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|9B|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; classtype:attempted-admin; 9633 EXPLOIT Computer Associates Product Discovery Service type 9B remote buffer overflow attempt TCP 21502 attempted-admin 2006-6379 tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|9C|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; classtype:attempted-admin; 9634 EXPLOIT Computer Associates Product Discovery Service type 9C remote buffer overflow attempt TCP 21502 attempted-admin 2006-6379 udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|9C|"; depth:1; isdataat:256,relative; content:!"|00|"; within:256; classtype:attempted-admin; 9636 EXPLOIT Computer Associates Product Discovery Service type 9C remote buffer overflow attempt UDP 200 Server 210 Server / HTTP 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3BFFE033-BF43-11D5-A271-00A024A51325"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BFFE033-BF43-11D5-A271-00A024A51325\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(InstallBrowserHelperDll)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3BFFE033-BF43-11D5-A271-00A024A51325\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(InstallBrowserHelperDll))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13258 WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX clsid access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|B|00|F|00|F|00|E|00|0|00|3|00|3|00|-|00|B|00|F|00|4|00|3|00|-|00|1|00|1|00|D|00|5|00|-|00|A|00|2|00|7|00|1|00|-|00|0|00|0|00|A|00|0|00|2|00|4|00|A|00|5|00|1|00|3|00|2|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13259 WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX clsid unicode access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"iNotes6.iNotes6"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22iNotes6\.iNotes6\x22|\x27iNotes6\.iNotes6\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=v)\s*\.\s*InstallBrowserHelperDll\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22iNotes6\.iNotes6\x22|\x27iNotes6\.iNotes6\x27)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=n)\s*\.\s*InstallBrowserHelperDll\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13260 WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX function call access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"i|00|N|00|o|00|t|00|e|00|s|00|6|00|.|00|i|00|N|00|o|00|t|00|e|00|s|00|6|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)i\x00N\x00o\x00t\x00e\x00s\x006\x00.\x00i\x00N\x00o\x00t\x00e\x00s\x006\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)i\x00N\x00o\x00t\x00e\x00s\x006\x00.\x00i\x00N\x00o\x00t\x00e\x00s\x006\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13261 WEB-ACTIVEX IBM Lotus Domino Web Access 6 ActiveX function call unicode access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E008A543-CEFB-4559-912F-C27C2B89F13B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E008A543-CEFB-4559-912F-C27C2B89F13B\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(InstallBrowserHelperDll)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E008A543-CEFB-4559-912F-C27C2B89F13B\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\.(InstallBrowserHelperDll))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13262 WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX clsid access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|0|00|0|00|8|00|A|00|5|00|4|00|3|00|-|00|C|00|E|00|F|00|B|00|-|00|4|00|5|00|5|00|9|00|-|00|9|00|1|00|2|00|F|00|-|00|C|00|2|00|7|00|C|00|2|00|B|00|8|00|9|00|F|00|1|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q8>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q8)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13263 WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX clsid unicode access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"dwa7.dwa7"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22dwa7\.dwa7\x22|\x27dwa7\.dwa7\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=v)\s*\.\s*InstallBrowserHelperDll\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22dwa7\.dwa7\x22|\x27dwa7\.dwa7\x27)\s*\)(\s*\.\s*InstallBrowserHelperDll\s*|.*(?P=n)\s*\.\s*InstallBrowserHelperDll\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13264 WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX function call access 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d|00|w|00|a|00|7|00|.|00|d|00|w|00|a|00|7|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q9>\x22|\x27|)d\x00w\x00a\x007\x00.\x00d\x00w\x00a\x007\x00(?P=q9)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q10>\x22|\x27|)d\x00w\x00a\x007\x00.\x00d\x00w\x00a\x007\x00(?P=q10)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13265 WEB-ACTIVEX IBM Lotus Domino Web Access 7 ActiveX function call unicode access 13418 attempted-user 2005-1383 tcp $EXTERNAL_NET any -> $HOME_NET 7778 flow:to_server,established; content:"GET /server-status"; depth:18; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15956 ORACLE http Server mod_access restriction bypass attempt 23174 attempted-user 2007-1739 tcp $EXTERNAL_NET any -> $HOME_NET 389 flow:to_server,established; content:"0|84 00 01 00|5|02 01 04|h|84 00 01 00|,|04 84 00 01 00| cn="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16017 SPECIFIC-THREATS IBM Lotus Domino LDAP server invalid DN message buffer overflow attempt 20841 attempted-dos 2006-4517 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/nps/servlet/webacc"; nocase; http_uri; content:"tree="; nocase; http_cookie; pcre:"/tree\s*\x3d\s*(\d{4}|25[6-9]|2[6-9]|[3-9])/mi"; metadata:policy security-ips drop; classtype:attempted-dos; 16052 WEB-CLIENT Novell iManager Tomcat http post handling DoS attempt 16523 attempted-dos 2006-0580 tcp $EXTERNAL_NET any -> $HOME_NET 389 flow:to_server,established; content:"0|0C 02 01 01|`|07 02 00 DD 04 00 80 00|"; depth:14; metadata:policy security-ips drop, service ldap; classtype:attempted-dos; 16060 SPECIFIC-THREATS IBM Lotus Domino LDAP server memory exception attempt 27387 attempted-user 2008-0401 tcp $EXTERNAL_NET any -> $HOME_NET 443 flow:to_server,established; content:"|17 03 01 00| |AB CA A4| q|EC|IW|F2|&G|CD 1D 08 F9 F5 E9|^F|BF B8 DC|F|C8|K|FC|D|99|o|9A|X|AD|"; depth:37; metadata:policy security-ips drop, service http; classtype:attempted-user; 16216 SPECIFIC-THREATS IBM Tivoli Provisioning Manager for OS deployment HTTP server buffer attempt 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid=|27|clsid|3A|E008A543-CEFB-4559-912F-C27C2B89F13B|27|"; fast_pattern:only; content:"classid=|27|clsid|3A|3BFFE033-BF43-11D5-A271-00A024A51325|27|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16671 SPECIFIC-THREATS IBM Lotus Domino Web Access ActiveX exploit attempt 22960 web-application-attack 2007-0450 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"/%5C../"; fast_pattern:only; content:"/%5C../"; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 17391 WEB-MISC Tomcat UNIX platform directory traversal tomcat.apache.org/tomcat-6.0-doc/changelog.html 26972 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E008A543-CEFB-4559-912F-C27C2B89F13B"; fast_pattern:only; nocase; content:"unescape|28 27 25 75 34|"; nocase; metadata:policy security-ips alert, service http; classtype:attempted-user; 17466 SPECIFIC-THREATS IBM Lotus Domino Web Access 7 ActiveX exploit attempt 22960 web-application-attack 2007-0450 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"/|5C|../"; fast_pattern:only; content:"/|5C|../"; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 17498 WEB-MISC Tomcat UNIX platform directory traversal tomcat.apache.org/tomcat-6.0-doc/changelog.html 22960 web-application-attack 2007-0450 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"/..|5C|/"; fast_pattern:only; content:"/..|5C|/"; http_raw_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 17499 WEB-MISC Tomcat UNIX platform directory traversal tomcat.apache.org/tomcat-6.0-doc/changelog.html 22960 web-application-attack 2007-0450 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"/..%5C/"; fast_pattern:only; content:"/..%5C/"; http_raw_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 17500 WEB-MISC Tomcat UNIX platform directory traversal tomcat.apache.org/tomcat-6.0-doc/changelog.html 22960 web-application-attack 2007-0450 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"/%2E%2E"; fast_pattern:only; content:"/%2E%2E"; nocase; http_raw_uri; pcre:"/\/%2E%2E(\\|%5C)\//"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 17501 WEB-MISC Tomcat UNIX platform directory traversal tomcat.apache.org/tomcat-6.0-doc/changelog.html 22960 web-application-attack 2007-0450 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"%2E%2E/"; fast_pattern:only; content:"%2E%2E/"; nocase; http_raw_uri; pcre:"/\/(\\|%5C)%2E%2E\//"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 17502 WEB-MISC Tomcat UNIX platform directory traversal tomcat.apache.org/tomcat-6.0-doc/changelog.html 38457 attempted-user 2010-0919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; isdataat:1024; content:"ctrl.InstallBrowserHelperDll"; nocase; content:"General_ServerName"; nocase; content:!">"; within:1024; pcre:"/(3BFFE033-BF43-11d5-A271-00A024A51325|iNotes6\.iNotes6|E008A543-CEFB-4559-912F-C27C2B89F13B|dwa7\.dwa7|983A9C21-8207-4B58-BBB8-0EBC3D7C5505|dwa85?\.dwa85?|75AA409D-05F9-4f27-BD53-C7339D4B1D0A)/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17545 WEB-ACTIVEX Lotus Domino Web Access ActiveX Controls buffer overflow attempt www-01.ibm.com/support/docview.wss?uid=swg21421808 211 Server / HTTP / Common 2527 web-application-attack 2001-0590 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"%252ejsp"; http_uri; metadata:service http; classtype:web-application-attack; 1056 WEB-MISC Tomcat view source attempt 2173 web-application-attack 2001-0009 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".nsf/"; http_uri; content:"../"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1072 WEB-MISC Lotus Domino directory traversal 12248 1532 attempted-recon 2000-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; metadata:service http; classtype:attempted-recon; 1108 WEB-MISC Tomcat server snoop access 10478 1548 attempted-recon 2000-0672 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1111 WEB-MISC Tomcat server exploit access 10477 attempted-dos 1999-0474 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".html/......"; nocase; http_uri; metadata:service http; classtype:attempted-dos; 1115 WEB-MISC ICQ webserver DOS www.securiteam.com/exploits/2ZUQ1QAQOG.html attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/catalog.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1150 WEB-MISC Domino catalog.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/domcfg.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1151 WEB-MISC Domino domcfg.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/domlog.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1152 WEB-MISC Domino domlog.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/log.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1153 WEB-MISC Domino log.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/names.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1154 WEB-MISC Domino names.nsf access 10629 web-application-activity 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Mode=debug"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1540 WEB-COLDFUSION ?Mode=debug attempt 10797 4022 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mab.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1575 WEB-MISC Domino mab.nsf access 10953 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cersvr.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1576 WEB-MISC Domino cersvr.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/setup.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1577 WEB-MISC Domino setup.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/statrep.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1578 WEB-MISC Domino statrep.nsf access 10629 9901 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webadmin.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1579 WEB-MISC Domino webadmin.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/events4.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1580 WEB-MISC Domino events4.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ntsync4.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1581 WEB-MISC Domino ntsync4.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/collect4.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1582 WEB-MISC Domino collect4.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mailw46.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1583 WEB-MISC Domino mailw46.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bookmark.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1584 WEB-MISC Domino bookmark.nsf access 10629 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/agentrunner.nsf"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1585 WEB-MISC Domino agentrunner.nsf access 10629 881 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mail.box"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1586 WEB-MISC Domino mail.box access 10629 attempted-recon 2001-0535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sendmail.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1659 WEB-COLDFUSION sendmail.cfm access 5193 web-application-attack 2002-0682 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; metadata:service http; classtype:web-application-attack; 1827 WEB-MISC Tomcat servlet mapping cross site scripting attempt 11041 4575 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/examples/servlet/TroubleShooter"; http_uri; metadata:service http; classtype:web-application-activity; 1829 WEB-MISC Tomcat TroubleShooter servlet access 11046 4575 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/examples/servlet/SnoopServlet"; http_uri; metadata:service http; classtype:web-application-activity; 1830 WEB-MISC Tomcat SnoopServlet servlet access 11046 6721 web-application-attack 2003-0042 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"|00|.jsp"; http_uri; metadata:service http; classtype:web-application-attack; 2061 WEB-MISC Tomcat null byte directory listing attempt 11438 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFNEWINTERNALADMINSECURITY|28 29|"; fast_pattern:only; metadata:service http; classtype:attempted-user; 8485 WEB-COLDFUSION CFNEWINTERNALADMINSECURITY access 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFNEWINTERNALREGISTRY|28 29|"; fast_pattern:only; metadata:service http; classtype:attempted-user; 8486 WEB-COLDFUSION CFNEWINTERNALREGISTRY access 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFADMIN_REGISTRY_SET|28 29|"; fast_pattern:only; metadata:service http; classtype:attempted-user; 8487 WEB-COLDFUSION CFADMIN_REGISTRY_SET access 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFADMIN_REGISTRY_GET|28 29|"; fast_pattern:only; metadata:service http; classtype:attempted-user; 8488 WEB-COLDFUSION CFADMIN_REGISTRY_GET access 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFADMIN_REGISTRY_DELETE|28 29|"; fast_pattern:only; metadata:service http; classtype:attempted-user; 8489 WEB-COLDFUSION CFADMIN_REGISTRY_DELETE access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/snippets/viewexample.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 8490 WEB-COLDFUSION viewexample.cfm access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/expeval/eval.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 8491 WEB-COLDFUSION eval.cfm access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/expeval/openfile.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 8492 WEB-COLDFUSION openfile.cfm access 550 attempted-recon 1999-0922 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/exampleapp/docs/sourcewindow.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 8493 WEB-COLDFUSION sourcewindow.cfm access 917 attempted-recon 2000-0057 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfcache.map"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 903 WEB-COLDFUSION cfcache.map access 1021 attempted-recon 2001-0535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 904 WEB-COLDFUSION exampleapp application.cfm 1021 attempted-recon 2001-0535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 905 WEB-COLDFUSION application.cfm access 229 attempted-recon 2001-0535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 906 WEB-COLDFUSION getfile.cfm access attempted-recon 2001-0535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 907 WEB-COLDFUSION addcontent.cfm access 1314 attempted-recon 2000-0538 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfide/administrator/index.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 908 WEB-COLDFUSION administrator access 10581 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 909 WEB-COLDFUSION datasource username attempt 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 910 WEB-COLDFUSION fileexists.cfm access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 911 WEB-COLDFUSION exprcalc access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 912 WEB-COLDFUSION parks access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfappman/index.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 913 WEB-COLDFUSION cfappman access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 914 WEB-COLDFUSION beaninfo access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 915 WEB-COLDFUSION evaluate.cfm access 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 916 WEB-COLDFUSION getodbcdsn access 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 917 WEB-COLDFUSION db connections flush attempt 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/expeval/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-user; 918 WEB-COLDFUSION expeval access 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 919 WEB-COLDFUSION datasource passwordattempt 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 920 WEB-COLDFUSION datasource attempt 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 921 WEB-COLDFUSION admin encrypt attempt 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 922 WEB-COLDFUSION displayfile access 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 923 WEB-COLDFUSION getodbcin attempt 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 924 WEB-COLDFUSION admin decrypt attempt 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 925 WEB-COLDFUSION mainframeset access 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 926 WEB-COLDFUSION set odbc ini attempt 550 web-application-attack 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 927 WEB-COLDFUSION settings refresh attempt attempted-recon 2001-0535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/exampleapp/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 928 WEB-COLDFUSION exampleapp access 550 attempted-user 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:service http; classtype:attempted-user; 929 WEB-COLDFUSION CFUSION_VERIFYMAIL access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/snippets/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 930 WEB-COLDFUSION snippets attempt 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 931 WEB-COLDFUSION cfmlsyntaxcheck.cfm access 550 attempted-recon 2000-0189 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/application.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 932 WEB-COLDFUSION application.cfm access 550 attempted-recon 2000-0189 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/onrequestend.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 933 WEB-COLDFUSION onrequestend.cfm access 247 web-application-attack 1999-0756 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfide/administrator/startstop.html"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 935 WEB-COLDFUSION startstop DOS access 550 attempted-recon 1999-0760 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 936 WEB-COLDFUSION gettempdirectory.cfm access attempted-admin 2008-4008 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"POST"; depth:4; nocase; content:"Transfer-Encoding|3A|"; distance:0; nocase; isdataat:256,relative; pcre:"/^Transfer-Encoding\x3A\s*[^\r\n]{256}/smi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 14771 WEB-MISC BEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow support.bea.com/application_content/product_portlets/securityadvisories/2806.html 16153 attempted-user 2005-3656 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Authorization|3A| Basic dGVzdCVuJW4lbjpmb29iYXI="; http_header; metadata:policy security-ips drop, service http; classtype:attempted-user; 16198 SPECIFIC-THREATS Apache mod_auth_pgsql module logging facility format string exploit attempt 38494 attempted-admin 2010-0425 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16479 SPECIFIC-THREATS Apache mod_isapi dangling pointer exploit attempt - public shell code 38494 attempted-admin 2010-0425 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"Proxy-Connection|3A| Keep-Alive|0D 0A|Okytuasd|3A| AAAA"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16480 SPECIFIC-THREATS Apache mod_isapi dangling pointer exploit attempt 26663 web-application-attack 2007-6203 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"<PROCHECKUP>"; depth:12; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; 16611 WEB-MISC Apache 413 error HTTP request method cross-site scripting attack 36954 attempted-admin 2009-3548 tcp $EXTERNAL_NET any -> $HOME_NET 8081 flow:to_server,established; content:"/manager"; nocase; content:"Authorization"; distance:0; nocase; content:"Basic"; within:50; nocase; content:"b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17156 EXPLOIT HP Performance Manager Apache Tomcat policy bypass attempt 30633 suspicious-filename-detect 2008-2938 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"|25|ae|2F|"; pcre:"/(((\xc0|\xe0\x80|\xf0\x80\x80)\xaf|\x2f)((\xc0|\xe0\x80|\xf0\x80\x80)\xae|\x2e){2}|(((\xc0|\xe0\x80|\xf0\x80\x80)\xae|\x2e){2}(\xc0|\xe0\x80|\xf0\x80\x80)\xaf|\x2f))/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17387 WEB-MISC Apache Tomcat allowLinking URIencoding directory traversal attempt 32104 attempted-recon 2008-6505 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"/struts/"; nocase; content:"|25|252f"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-recon; 17533 WEB-MISC Apache Struts Information Disclosure Attempt attempted-user 2006-3747 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"ldap:/"; nocase; http_uri; pcre:"/\x3F[^\x3F]*\x3F[^\x3F]*\x3F[^\x3F]*\x3F[^\x3F]*\x3F/U"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17656 WEB-MISC Apache HTTP server mod_rewrite module LDAP scheme handling buffer overflow attempt 35196 attempted-recon 2009-0580 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"j_username="; nocase; content:"j_password=%"; nocase; metadata:policy security-ips alert, service http; classtype:attempted-recon; 18096 WEB-MISC Apache Tomcat username enumeration attempt 212 Server / HTTP / Apache 1457 attempted-recon 2000-0628 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/site/eg/source.asp"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1110 WEB-MISC apache source.asp file access 10480 7254 web-application-attack 2003-0132 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"|0D 0A 0D 0A|"; pcre:"/(\x0d\x0a){100}/"; metadata:service http; classtype:web-application-attack; 11272 WEB-MISC Apache newline exploit attempt attempted-dos 2004-0942 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"HTTP/1."; pcre:"/HTTP\/1.[01]\n.*[\x20\t]{200}/si"; metadata:service http; classtype:attempted-dos; 11273 WEB-MISC Apache header parsing space saturation denial of service attempt attempted-admin 2006-3747 tcp $EXTERNAL_NET any -> $HOME_NET 80 flow:established,to_server; content:"GET"; nocase; content:"ldap|3A|"; distance:0; pcre:"/ldap\x3A\x2F\x2F[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)/smi"; metadata:service http; classtype:attempted-admin; 11679 WEB-MISC Apache mod_rewrite buffer overflow attempt 7723 attempted-user 2003-0245 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"propfind xmlns|3A|"; isdataat:514,relative; pcre:"/propfind xmlns\x3A[^\x3D]*\x3d\x22[^\x22]{512}/smi"; metadata:service http; classtype:attempted-user; 12465 EXPLOIT Apache APR memory corruption attempt 24649 denial-of-service 2007-1863 tcp $EXTERNAL_NET any -> $HOME_NET 80 flow:established,to_server; content:"Cache-Control|3A|"; fast_pattern:only; nocase; pcre:"/^Cache-Control\x3A\s*(max-(age|stale)|min-fresh|s-maxage)\s*\x3D[^\d]+\x0A/smi"; classtype:denial-of-service; 12591 DOS Apache mod_cache denial of service attempt 26070 successful-recon-limited 2007-5461 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:established,to_server; content:"<!ENTITY RemoteX SYSTEM"; nocase; classtype:successful-recon-limited; 12711 WEB-MISC Apache Tomcat WebDAV system tag remote file disclosure attempt issues.apache.org/jira/browse/GERONIMO-3549 26838 web-application-attack 2007-5000 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".map/"; nocase; http_uri; content:"script"; nocase; pcre:"/.map/[^\n]*script[^\n]*script/i"; metadata:service http; classtype:web-application-attack; 13302 WEB-CLIENT Apache mod_imagemap cross site scripting attempt 3009 web-application-activity 2001-0731 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/?M=D"; http_uri; metadata:service http; classtype:web-application-activity; 1519 WEB-MISC apache ?M=D directory list attempt 10704 30273 attempted-admin 2008-3257 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"POST"; nocase; http_method; content:"AAAAAAAAAAAAAAAAAAAA"; depth:100; metadata:service http; classtype:attempted-admin; 15511 SPECIFIC-THREATS Oracle WebLogic Apache Connector buffer overflow attempt www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html attempted-dos 2007-0086 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 1.1.4322|3B| .NET CLR 2.0.503l3|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| MSOffice 12|29 0D 0A|"; http_header; content:"Content-Length|3A| 42"; http_header; metadata:service http; classtype:attempted-dos; 15578 SPECIFIC-THREATS Slowloris http DoS tool 10736 attempted-user 2004-0700 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"https"; nocase; http_uri; pcre:"/^[a-z]+\s+https\x3a\x2f\x2f[^\x2f\x3a\x25\s]*\x25[sn]/i"; metadata:service http; classtype:attempted-user; 15980 WEB-MISC Apache mod_ssl hook functions format string attempt 20527 attempted-user 2006-4154 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"application/x-www-form-urlencoded"; http_header; content:"abc=%25s%25s"; fast_pattern; metadata:service http; classtype:attempted-user; 16021 SPECIFIC-THREATS Apache http Server mod_tcl format string attempt 22791 attempted-admin 2007-0774 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; urilen:>1024; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; http_uri; classtype:attempted-admin; 17107 SPECIFIC-THREATS Apache Tomcat JK Web Server Connector long URL stack overflow attempt - 1 22791 attempted-admin 2007-0774 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; urilen:>1440; content:"GET /"; depth:5; pcre:"/^\x2F[a-z0-9]{16}[^a-z0-9\x2F\x3F\x26]/iU"; classtype:attempted-admin; 17108 SPECIFIC-THREATS Apache Tomcat JK Web Server Connector long URL stack overflow attempt - 2 14660 attempted-dos 2005-2728 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established, to_server; content:"POST"; nocase; http_method; content:"Range|3A| bytes|3D|"; nocase; http_header; classtype:attempted-dos; 17354 SPECIFIC-THREATS Apache Byte-Range Filter denial of service attempt 5033 web-application-activity 2002-0392 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; metadata:service http; classtype:web-application-activity; 1808 WEB-MISC apache chunked encoding memory corruption exploit attempt 5033 web-application-attack 2002-0392 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; metadata:service http; classtype:web-application-attack; 1809 WEB-MISC Apache Chunked-Encoding worm attempt 10932 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"cmd.exe"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 1002 WEB-IIS cmd.exe access attempted-user 2009-0080 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-user; flowbits:isset,asp.upload; metadata: engine shared, soid 3|15470, service http, policy balanced-ips drop, policy security-ips drop; 15470 WEB-MISC IIS ASP/ASP.NET potentially malicious file upload attempt www.microsoft.com/technet/security/bulletin/MS09-012.mspx 27676 web-application-attack 2008-0075 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:web-application-attack; metadata: engine shared, soid 3|15974, service http, policy balanced-ips drop, policy security-ips drop; 15974 EXPLOIT Microsoft IIS ASP handling buffer overflow www.microsoft.com/technet/security/bulletin/ms08-006.mspx 15921 attempted-dos 2005-4360 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".dll/%3a/~9"; depth:11; offset:18; metadata:policy security-ips drop, service http; classtype:attempted-dos; 16147 SPECIFIC-THREATS Microsoft IIS malformed URL .dll denial of service attempt www.microsoft.com/technet/security/bulletin/ms07-041.mspx attempted-admin 2009-2509 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16312, service http, policy balanced-ips drop, policy security-ips drop; 16312 WEB-IIS ADFS custom header arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-070.mspx web-application-attack 2009-4444 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:".asp|3B|."; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 16356 WEB-IIS multiple extension code execution attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"cmd32.exe"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 1661 WEB-IIS cmd32.exe access web-application-attack 2010-2731 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"$i30:$INDEX_ALLOCATION"; nocase; http_uri; metadata:policy security-ips drop, service http; classtype:web-application-attack; 17103 WEB-IIS IIS 5.1 alternate data stream authentication bypass attempt www.microsoft.com/technet/security/bulletin/MS10-065.mspx attempted-dos 2010-1899 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|17254, service http, policy balanced-ips drop, policy security-ips drop; 17254 WEB-MISC Microsoft IIS stack exhaustion DoS attempt www.microsoft.com/technet/security/bulletin/MS10-065.mspx attempted-admin 2010-2730 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17255, service http, policy security-ips drop; 17255 EXPLOIT Microsoft IIS FastCGI heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-065.mspx misc-activity 2009-0085 tcp $EXTERNAL_NET any -> $HOME_NET 443 flow:to_server,established; content:"|1D 1D 55 69 8B 83 B2 CF 4A 71 6F A1 45 62 8C 7C BD 98 79 15 E5 85 EB 87 5B FC 06 04 D7 14 03 01 00 01 01 16 03|"; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; classtype:misc-activity; 17431 EXPLOIT Microsoft IIS SChannel improper certificate verification www.microsoft.com/technet/security/bulletin/ms09-007.mspx 35232 attempted-admin 2009-1122 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST"; nocase; content:"|25 32 35 25 33 37 25 33 30 25 32 35 25 33 37 25|"; within:16; distance:2; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17525 SPECIFIC-THREATS Microsoft IIS 5.0 WebDav Request Directory Security Bypass 34993 attempted-admin 2009-1535 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/%c0%af/"; pcre:"/^(GET|OPTIONS|HEAD|POST|PUT|DELETE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK)[^\r\n]*\s+[^\r\n]*\x2f\x25c0\x25af\x2f/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17564 WEB-IIS WebDAV Request Directory Security Bypass attempt misc-attack 2005-2678 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"http|3A 2F|localhost"; nocase; http_uri; metadata:policy security-ips drop, service http; classtype:misc-attack; 17652 WEB-MISC Microsoft IIS source code disclosure attempt secunia.com/advisories/16548 misc-attack 2005-2678 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"host"; nocase; http_header; content:"localhost"; nocase; http_header; pcre:"/^Host\s*\x3A\s*localhost\s/miH"; metadata:policy security-ips drop, service http; classtype:misc-attack; 17653 WEB-MISC Microsoft IIS source code disclosure attempt secunia.com/advisories/16548 45542 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"|EF 83 B0 EF 83 B0 EF 83 B0 EF 83 B0 EF 83 B0 EF 83 B0 EF 83|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp; classtype:attempted-admin; 18243 SPECIFIC-THREATS Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt 7116 attempted-admin 2003-0109 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 2091 WEB-IIS WEBDAV nessus safe scan attempt 11413 www.microsoft.com/technet/security/bulletin/ms03-007.mspx 213 Server / HTTP / Microsoft IIS 2280 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bdir.htr"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1000 WEB-IIS bdir.htr access 10577 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".cmd?&"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1003 WEB-IIS cmd? access web-application-activity 1999-0815 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iissamples/exair/howitworks/codebrws.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1004 WEB-IIS codebrowser Exair access 167 web-application-activity 1999-0736 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iissamples/sdk/asp/docs/codebrws.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1005 WEB-IIS codebrowser SDK access 1595 web-application-attack 2000-1104 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Form_JScript.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1007 WEB-IIS Form_JScript.asp access 10572 www.microsoft.com/technet/security/bulletin/MS00-060.mspx web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1008 WEB-IIS del attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ServerVariables_Jscript.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1009 WEB-IIS directory listing 10573 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"|23|filename=*.exe"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 1011 WEB-IIS exec-src access 2252 web-application-attack 1999-1376 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase; http_uri; content:"Digits="; nocase; metadata:service http; classtype:web-application-attack; 1012 WEB-IIS fpcount attempt 2252 web-application-activity 1999-1376 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1013 WEB-IIS fpcount access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/tools/getdrvs.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1015 WEB-IIS getdrvs.exe access web-application-activity 2000-0778 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/global.asa"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1016 WEB-IIS global.asa access 10991 web-application-attack 1999-0874 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"|23|filename=*.idc"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1017 WEB-IIS idc-srch attempt 2110 web-application-attack 1999-0407 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisadmpwd/aexp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1018 WEB-IIS iisadmpwd attempt 10371 950 web-application-attack 2000-0097 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; content:"CiRestriction=none"; fast_pattern; nocase; http_uri; content:"ciHiliteType=Full"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1019 WEB-IIS Malformed Hit-Highlighting Argument File Access Attempt www.securityfocus.com/archive/1/43762 307 web-application-attack 1999-0874 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".idc|3A 3A 24|data"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1020 WEB-IIS isc$data attempt 10116 1193 web-application-attack 2000-0457 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:" .htr"; fast_pattern; nocase; http_uri; pcre:"/\s{230,}.htr/U"; metadata:service http; classtype:web-application-attack; 1021 WEB-IIS ism.dll attempt 10680 www.microsoft.com/technet/security/bulletin/MS00-031.mspx 286 web-application-activity 1999-0874 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/advworks/equipment/catalog_type.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1022 WEB-IIS jet vba access www.microsoft.com/technet/security/bulletin/ms99-030.mspx 529 web-application-activity 1999-1011 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/msadcs.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1023 WEB-IIS msadcs.dll access 10357 www.microsoft.com/technet/security/bulletin/ms99-025.mspx 1818 web-application-activity 1999-0191 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/tools/newdsn.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1024 WEB-IIS newdsn.exe access 10360 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/perl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1025 WEB-IIS perl access 6833 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"|0A|.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1026 WEB-IIS perl-browse newline attempt 6833 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:" .pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1027 WEB-IIS perl-browse space attempt 193 web-application-activity 1999-0449 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/issamples/query.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1028 WEB-IIS query.asp access web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/ "; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1029 WEB-IIS scripts-browse access 11032 162 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search97.vts"; http_uri; metadata:service http; classtype:web-application-activity; 1030 WEB-IIS search97.vts access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/SiteServer/Publishing/viewcode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1031 WEB-IIS /SiteServer/Publishing/viewcode.asp access 10576 web-application-activity 1999-0737 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1032 WEB-IIS showcode access 10576 www.microsoft.com/technet/security/bulletin/ms99-013.mspx web-application-activity 1999-0737 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1033 WEB-IIS viewcode access 10576 www.microsoft.com/technet/security/bulletin/ms99-013.mspx web-application-activity 1999-0737 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1034 WEB-IIS viewcode access 10576 www.microsoft.com/technet/security/bulletin/ms99-013.mspx web-application-activity 1999-0737 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1035 WEB-IIS viewcode access 10576 www.microsoft.com/technet/security/bulletin/ms99-013.mspx web-application-activity 1999-0737 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1036 WEB-IIS viewcode access 10576 www.microsoft.com/technet/security/bulletin/ms99-013.mspx 167 web-application-activity 1999-0736 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/showcode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1037 WEB-IIS showcode.asp access 10007 www.microsoft.com/technet/security/bulletin/MS99-013.mspx 256 web-application-activity 1999-1520 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/adsamples/config/site.csc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1038 WEB-IIS site server config access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/samples/isapi/srch.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1039 WEB-IIS srch.htm access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/srchadm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1040 WEB-IIS srchadm access 11032 1811 web-application-activity 1999-0360 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/uploadn.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1041 WEB-IIS uploadn.asp access web-application-activity 1999-0737 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/viewcode.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1043 WEB-IIS viewcode.asp access 10576 950 web-application-activity 2000-0097 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htw"; http_uri; metadata:service http; classtype:web-application-activity; 1044 WEB-IIS webhits access web-application-attack tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any flow:to_server,established; content:"403"; content:"Forbidden|3A|"; metadata:service http; classtype:web-application-attack; 1045 WEB-IIS Unauthorized IP Access Attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/site/iisamples"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1046 WEB-IIS site/iisamples access 10370 1811 web-application-activity 1999-0360 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/postinfo.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1075 WEB-IIS postinfo.asp access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/repost.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1076 WEB-IIS repost.asp access 10372 22861 attempted-user 2007-0938 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/NR/exeres/"; fast_pattern; nocase; http_uri; content:"frameless"; http_uri; content:!",frameless"; http_uri; metadata:service http; classtype:attempted-user; 11191 WEB-IIS Microsoft Content Management Server memory corruption www.microsoft.com/technet/security/bulletin/ms07-018.mspx 11384 denial-of-service 2003-0718 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"PROPFIND"; depth:8; nocase; pcre:"/(xmlns\x3A.*?){15}/"; classtype:denial-of-service; 12043 DOS Microsoft XML parser IIS WebDAV attack attempt 15921 attempted-dos 2005-4360 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/_vti_bin/.dll/"; pcre:"/\/_vti_bin\/\.dll\/(%(0[1-9]|1[0-f])|%3f|\x22|\x2a|\x3a|<|>)[\\\/]~[0-9]/Ui"; metadata:service http; classtype:attempted-dos; 12064 WEB-IIS w3svc _vti_bin null pointer dereference attempt www.microsoft.com/technet/security/bulletin/ms07-041.mspx 1065 web-application-activity 2000-0071 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".ida"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1242 WEB-IIS ISAPI .ida access 1065 web-application-attack 2001-0500 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".ida?"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1243 WEB-IIS ISAPI .ida attempt 968 web-application-attack 2001-0500 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".idq?"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1244 WEB-IIS ISAPI .idq attempt 10115 1065 web-application-activity 2000-0071 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".idq"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1245 WEB-IIS ISAPI .idq access web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/root.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1256 WEB-IIS CodeRed v2 root.exe access www.cert.org/advisories/CA-2001-19.html 18858 attempted-user 2006-0026 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"Content-Disposition|3A| form-data"; http_header; content:"filename="; nocase; http_header; content:"<!--|23|include"; distance:0; fast_pattern; nocase; pcre:"/filename\x3d\x22[^\x22]*asp/smiH"; pcre:"/\x3c\x21\x2d\x2d\x23include\s+file\s*=\s*.{250,}-->/smi"; metadata:service http; classtype:attempted-user; 12595 WEB-IIS malicious ASP file upload attempt www.microsoft.com/technet/security/bulletin/ms06-034.mspx 3223 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri; content:"mailbox="; nocase; content:"%%%"; metadata:service http; classtype:web-application-attack; 1283 WEB-IIS outlook web dos web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/msdac/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1285 WEB-IIS msdac access 11032 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_mem_bin/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1286 WEB-IIS _mem_bin access 11032 1595 web-application-attack 2000-1104 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Form_VBScript.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1380 WEB-IIS Form_VBScript.asp access 10572 www.microsoft.com/technet/security/bulletin/MS00-060.mspx web-application-attack 2008-0075 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:web-application-attack; metadata: engine shared, soid 3|13922; 13922 WEB-IIS Microsoft IIS HTMLEncode Unicode string buffer overflow www.microsoft.com/technet/security/bulletin/ms08-006.mspx web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/samples/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1400 WEB-IIS /scripts/samples/ access 10370 167 web-application-attack 1999-0736 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/msadc/samples/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1401 WEB-IIS /msadc/samples/ access 1007 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iissamples/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1402 WEB-IIS iissamples access 11032 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mkilog.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1485 WEB-IIS mkilog.exe access 10359 www.osvdb.org/274 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ctss.idc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1486 WEB-IIS ctss.idc access 10359 4236 web-application-activity 2002-0421 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1487 WEB-IIS /iisadmpwd/aexp2.htr access 10371 3301 web-application-attack 2001-0660 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/exchange/root.asp?acs=anon"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1567 WEB-IIS /exchange/root.asp attempt 10781 www.microsoft.com/technet/security/bulletin/MS01-047.mspx 3301 web-application-activity 2001-0660 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/exchange/root.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1568 WEB-IIS /exchange/root.asp access 10781 964 web-application-activity 2000-0256 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htimage.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1595 WEB-IIS htimage.exe access 10376 4485 web-application-attack 2002-0079 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".asp"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:service http; classtype:web-application-attack; 1618 WEB-IIS .asp chunked Transfer-Encoding 10932 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/StoreCSVS/InstantOrder.asmx"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1626 WEB-IIS /StoreCSVS/InstantOrder.asmx request web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/trace.axd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1660 WEB-IIS trace.axd access 10993 1488 web-application-attack 2000-0630 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:" .htr"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1725 WEB-IIS +.htr code fragment attempt 10680 www.microsoft.com/technet/security/bulletin/MS00-044.mspx web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"doctodep.btr"; http_uri; metadata:service http; classtype:web-application-activity; 1726 WEB-IIS doctodep.btr access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/users.xml"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1750 WEB-IIS users.xml access 4670 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/as_web.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1753 WEB-IIS as_web.exe access 4670 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/as_web4.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1754 WEB-IIS as_web4.exe access 4672 web-application-activity 2002-1734 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"logged,true"; metadata:service http; classtype:web-application-activity; 1756 WEB-IIS NewsPro administration authentication attempt 14764 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Translate|3A| "; nocase; byte_test:1,=,102,0,relative; pcre:"/%.*%/smiI"; metadata:service http; classtype:attempted-recon; 17648 WEB-IIS source code disclosure attempt 13524 web-application-attack 2005-1471 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"POST"; nocase; http_method; content:"/WebID/IISWebAgentIF.dll"; fast_pattern; nocase; http_uri; content:"Transfer-Encoding|3A| chunked"; nocase; http_header; content:"|0D 0A 0D 0A|"; byte_test:4,>,16,0,relative,string,hex; metadata:service http; classtype:web-application-attack; 17705 WEB-IIS web agent chunked encoding overflow attempt web-application-activity 2000-1089 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pbserver/pbserver.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1772 WEB-IIS pbserver access www.microsoft.com/technet/security/bulletin/ms00-094.mspx 4476 web-application-attack 2002-0150 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"HTTP/"; nocase; content:".asa"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:service http; classtype:web-application-attack; 1802 WEB-IIS .asa HTTP header buffer overflow attempt 10936 www.microsoft.com/technet/security/bulletin/MS02-018.mspx 4476 web-application-attack 2002-0150 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"HTTP/"; nocase; content:".cer"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:service http; classtype:web-application-attack; 1803 WEB-IIS .cer HTTP header buffer overflow attempt 10936 www.microsoft.com/technet/security/bulletin/MS02-018.mspx 4476 web-application-attack 2002-0150 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"HTTP/"; nocase; content:".cdx"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:service http; classtype:web-application-attack; 1804 WEB-IIS .cdx HTTP header buffer overflow attempt 10936 www.microsoft.com/technet/security/bulletin/MS02-018.mspx 5003 web-application-attack 2002-0364 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htr"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:service http; classtype:web-application-attack; 1806 WEB-IIS .htr chunked Transfer-Encoding 11028 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; fast_pattern; nocase; http_uri; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; metadata:service http; classtype:web-application-attack; 1817 WEB-IIS MS Site Server default login attempt 11018 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1818 WEB-IIS MS Site Server admin attempt 11018 6214 web-application-attack 2002-1142 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; metadata:service http; classtype:web-application-attack; 1970 WEB-IIS MDAC Content-Type overflow attempt 11161 www.microsoft.com/technet/security/bulletin/MS98-004.mspx 7716 attempted-admin 2003-0109 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; http_header; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; http_header; metadata:service http; classtype:attempted-admin; 2090 WEB-IIS WEBDAV exploit attempt 11413 www.microsoft.com/technet/security/bulletin/ms03-007.mspx 7416 web-application-activity 2003-0215 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"myaccount/login.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2117 WEB-IIS Battleaxe Forum login.asp access 11548 8035 web-application-activity 2003-0349 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nsiislog.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2129 WEB-IIS nsiislog.dll access 11664 www.microsoft.com/technet/security/bulletin/ms03-018.mspx 7675 web-application-activity 2003-0377 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisprotect/admin/SiteAdmin.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2130 WEB-IIS IISProtect siteadmin.asp access 11662 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisprotect/admin/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2131 WEB-IIS IISProtect access 11661 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/en/admin/aggregate.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2132 WEB-IIS Synchrologic Email Accelerator userid list access attempt 11657 7470 web-application-activity 2003-0118 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/biztalkhttpreceive.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2133 WEB-IIS MS BizTalk server access 11638 www.microsoft.com/technet/security/bulletin/MS03-016.mspx web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2157 WEB-IIS IISProtect globaladmin.asp access 11661 3608 web-application-activity 2001-0938 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/UploadScript11.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2247 WEB-IIS UploadScript11.asp access 11746 web-application-activity 2001-0938 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/DirectoryListing.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2248 WEB-IIS DirectoryListing.asp access 8103 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pcadmin/login.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2249 WEB-IIS /pcadmin/login.asp access 11785 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/foxweb.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2321 WEB-IIS foxweb.exe access 11939 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/foxweb.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2322 WEB-IIS foxweb.dll access 11939 9134 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/shopsearch.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2324 WEB-IIS VP-ASP shopsearch.asp access 11942 9134 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ShopDisplayProducts.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2325 WEB-IIS VP-ASP ShopDisplayProducts.asp access 11942 4720 web-application-activity 2002-0375 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sgdynamo.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2326 WEB-IIS sgdynamo.exe access 11955 9635 attempted-dos 2003-0818 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; metadata:service http; classtype:attempted-dos; 2386 WEB-IIS NTLM ASN1 vulnerability scan attempt 12065 www.microsoft.com/technet/security/bulletin/MS04-007.mspx 9805 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/frmGetAttachment.aspx"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2571 WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access 9805 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/login.aspx"; nocase; http_uri; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; metadata:service http; classtype:web-application-attack; 2572 WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt 9805 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/frmCompose.aspx"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2573 WEB-IIS SmarterTools SmarterMail frmCompose.asp access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ping.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2667 WEB-IIS ping.asp access 10968 11820 attempted-admin 2004-1134 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/w3who.dll?"; fast_pattern; nocase; http_uri; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; metadata:service http; classtype:attempted-admin; 3087 WEB-IIS w3who.dll buffer overflow attempt 5004 attempted-admin 2002-0186 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; pcre:"/\.x[sm]l/Ui"; content:"contenttype="; http_uri; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; metadata:service http; classtype:attempted-admin; 3150 WEB-IIS SQLXML content type overflow 11304 www.westpoint.ltd.uk/advisories/wp-02-0007.txt 1912 web-application-attack 2000-0886 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:".cmd|22|"; fast_pattern; nocase; http_uri; pcre:"/.cmd\x22.*\x26.*/smi"; metadata:service http; classtype:web-application-attack; 3193 WEB-IIS .cmd executable file parsing attack 1912 web-application-attack 2000-0886 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:".bat|22|"; fast_pattern; nocase; http_uri; pcre:"/.bat\x22.*\x26.*/smi"; metadata:service http; classtype:web-application-attack; 3194 WEB-IIS .bat executable file parsing attack 2708 web-application-activity 2001-0333 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/httpodbc.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 3201 WEB-IIS httpodbc.dll access - nimda 13524 web-application-attack 2005-1471 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/WebID/IISWebAgentIF.dll"; fast_pattern; nocase; http_uri; pcre:"/\x2fWebID\x2fIISWebAgentIF.dll[^\n\x26\x3f]*\x3fRedirect\x3furl=[^\n\x26\x3f]{1024}/smi"; metadata:service http; classtype:web-application-attack; 5695 WEB-IIS web agent redirect overflow attempt 17452 attempted-user 2006-0015 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_vti_bin/_vti_adm/fpadmdll.dll"; fast_pattern:only; content:"name=|22|operation|22|"; nocase; content:"value=|22|-->"; nocase; metadata:service http; classtype:attempted-user; 7027 WEB-IIS frontpage server extensions 2002 cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms06-017.mspx 17452 attempted-user 2006-0015 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_vti_bin/_vti_adm/fpadmdll.dll"; fast_pattern:only; content:"name=|22|command|22|"; nocase; content:"value=|22|-->"; nocase; metadata:service http; classtype:attempted-user; 7028 WEB-IIS frontpage server extensions 2002 cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms06-017.mspx 17452 attempted-user 2006-0015 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_vti_bin/_vti_adm/fpadmdll.dll"; fast_pattern:only; content:"name=|22|name|22|"; nocase; content:"value=|22|-->"; nocase; metadata:service http; classtype:attempted-user; 7029 WEB-IIS frontpage server extensions 2002 cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms06-017.mspx 19927 misc-attack 2006-0032 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"default.idq"; nocase; content:"ciRestriction"; distance:0; nocase; content:"script"; distance:0; nocase; pcre:"/default.idq[^\r\n]*ciRestriction[^\r\n]*script/smi"; metadata:service http; classtype:misc-attack; 8349 WEB-IIS Indexing Service ciRestriction cross-site scripting attempt www.microsoft.com/technet/security/Bulletin/MS06-053.mspx 20337 attempted-user 2006-3436 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"__LASTFOCUS="; fast_pattern:only; pcre:"/__LASTFOCUS=(?!([_a-z]\w*|)([\x26\x3B]|$))/i"; metadata:service http; classtype:attempted-user; 8700 WEB-IIS ASP.NET 2.0 cross-site scripting attempt www.microsoft.com/technet/security/bulletin/MS06-056.mspx 2674 web-application-activity 2001-0241 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".printer"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 971 WEB-IIS ISAPI .printer access 10661 www.microsoft.com/technet/security/bulletin/MS01-023.mspx 1448 web-application-attack 2000-0661 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/*.idc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 973 WEB-IIS *.idc attempt 2218 web-application-attack 1999-0229 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"..|5C|.."; fast_pattern:only; metadata:service http; classtype:web-application-attack; 974 WEB-IIS Directory transversal attempt 149 web-application-attack 1999-0278 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".asp|3A 3A 24|DATA"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 975 WEB-IIS Alternate Data streams ASP file access attempt 10362 support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806 4078 web-application-activity 2002-1717 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".cnf"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 977 WEB-IIS .cnf access 10575 1084 web-application-attack 2000-0302 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 978 WEB-IIS ASP contents view 10356 www.microsoft.com/technet/security/bulletin/MS00-006.mspx 1861 web-application-attack 2000-0942 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htw?CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 979 WEB-IIS ASP contents view www.microsoft.com/technet/security/bulletin/MS00-006.mspx 1623 web-application-activity 2000-0726 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/CGImail.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 980 WEB-IIS CGImail.exe access 11721 307 web-application-activity 1999-0874 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/samples/ctguestb.idc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 984 WEB-IIS JET VBA access 10116 286 web-application-activity 1999-0874 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/samples/details.idc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 985 WEB-IIS JET VBA access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/proxy/w3proxy.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 986 WEB-IIS MSProxy access support.microsoft.com/?kbid=331066 1488 web-application-activity 2000-0630 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htr"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 987 WEB-IIS .htr access 10680 2110 web-application-activity 1999-0407 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisadmpwd/achg.htr"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 991 WEB-IIS achg.htr access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/msadc/samples/adctest.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 992 WEB-IIS adctest.asp access 189 web-application-attack 1999-1538 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisadmin"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 993 WEB-IIS iisadmin access 11032 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/iisadmin/default.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 994 WEB-IIS /scripts/iisadmin/default.htm access 189 web-application-attack 2000-0630 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/iisadmin/ism.dll?http/dir"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 995 WEB-IIS ism.dll access 2110 web-application-activity 1999-0407 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/iisadmpwd/anot"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 996 WEB-IIS anot.htr access 1814 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".asp."; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 997 WEB-IIS asp-dot attempt 10363 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"|23|filename=*.asp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 998 WEB-IIS asp-srch attempt 2280 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/iisadmin/bdir.htr"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 999 WEB-IIS bdir access 214 Server / HTTP / Other 215 Server / HTTP / Coldfusion 216 Server / HTTP / Frontpage 2906 web-application-activity 2003-0822 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fp30reg.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1248 WEB-FRONTPAGE rad fp30reg.dll access 10699 www.microsoft.com/technet/security/bulletin/MS01-035.mspx 2906 web-application-activity 2001-0341 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fp4areg.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1249 WEB-FRONTPAGE frontpage rad fp4areg.dll access 10699 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 1288 WEB-FRONTPAGE /_vti_bin/ access 11032 9008 attempted-admin 2003-0824 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"shtml.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; pcre:"/^Host\x3A\s[^\r\n]{300,}/smiH"; metadata:service http; classtype:attempted-admin; 6409 WEB-FRONTPAGE frontpage server extension long host string overflow attempt www.microsoft.com/technet/security/Bulletin/MS03-051.mspx 9008 attempted-admin 2003-0824 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"fp30reg.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; isdataat:300,relative; pcre:"/^Host\x3A\s[^\r\n]{300}/smi"; metadata:service http; classtype:attempted-admin; 6410 WEB-FRONTPAGE frontpage server extension long host string overflow attempt www.microsoft.com/technet/security/Bulletin/MS03-051.mspx 9008 attempted-admin 2003-0824 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"fp40reg.dll"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; isdataat:300,relative; pcre:"/^Host\x3A\s[^\r\n]{300}/smi"; metadata:service http; classtype:attempted-admin; 6411 WEB-FRONTPAGE frontpage server extension long host string overflow attempt www.microsoft.com/technet/security/Bulletin/MS03-051.mspx 2144 web-application-activity 2001-0096 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_rpc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 937 WEB-FRONTPAGE _vti_rpc access 10585 2144 web-application-activity 2001-0096 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 939 WEB-FRONTPAGE posting 10585 www.microsoft.com/technet/security/bulletin/MS00-100.mspx 1595 web-application-activity 2000-0746 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_bin/shtml.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 940 WEB-FRONTPAGE shtml.dll access 11395 www.microsoft.com/technet/security/bulletin/ms00-060.mspx web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 941 WEB-FRONTPAGE contents.htm access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/orders.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 942 WEB-FRONTPAGE orders.htm access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fpsrvadm.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 943 WEB-FRONTPAGE fpsrvadm.exe access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fpremadm.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 944 WEB-FRONTPAGE fpremadm.exe access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admisapi/fpadmin.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 945 WEB-FRONTPAGE fpadmin.htm access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 946 WEB-FRONTPAGE fpadmcgi.exe access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/orders.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 947 WEB-FRONTPAGE orders.txt access web-application-activity 1999-1052 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/form_results.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 948 WEB-FRONTPAGE form_results access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/registrations.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 949 WEB-FRONTPAGE registrations.htm access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cfgwiz.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 950 WEB-FRONTPAGE cfgwiz.exe access 989 web-application-activity 1999-0386 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/authors.pwd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 951 WEB-FRONTPAGE authors.pwd access 10078 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 952 WEB-FRONTPAGE author.exe access 1205 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/administrators.pwd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 953 WEB-FRONTPAGE administrators.pwd access web-application-activity 1999-1052 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/form_results.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 954 WEB-FRONTPAGE form_results.htm access 4078 web-application-activity 2002-1717 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_pvt/access.cnf"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 955 WEB-FRONTPAGE access.cnf access 10575 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/register.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 956 WEB-FRONTPAGE register.txt access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/registrations.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 957 WEB-FRONTPAGE registrations.txt access 4078 web-application-activity 2002-1717 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_pvt/service.cnf"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 958 WEB-FRONTPAGE service.cnf access 10575 1205 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/service.pwd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 959 WEB-FRONTPAGE service.pwd web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_pvt/service.stp"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 960 WEB-FRONTPAGE service.stp access 4078 web-application-activity 2002-1717 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_pvt/services.cnf"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 961 WEB-FRONTPAGE services.cnf access 10575 5804 web-application-activity 2002-0692 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_bin/shtml.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 962 WEB-FRONTPAGE shtml.exe access 11311 4078 web-application-activity 2002-1717 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 963 WEB-FRONTPAGE svcacl.cnf access 10575 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/users.pwd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 964 WEB-FRONTPAGE users.pwd access 4078 web-application-activity 2002-1717 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 965 WEB-FRONTPAGE writeto.cnf access 10575 989 web-application-attack 2000-0153 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"..../"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 966 WEB-FRONTPAGE .... request 10142 1109 web-application-activity 2000-0260 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dvwssr.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 967 WEB-FRONTPAGE dvwssr.dll access 10369 www.microsoft.com/technet/security/bulletin/ms00-025.mspx web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_private/register.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 968 WEB-FRONTPAGE register.htm access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_vti_inf.html"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 990 WEB-FRONTPAGE _vti_inf.html access 11455 22797 trojan-activity 2007-1277 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"wp-includes/feed.php"; nocase; http_uri; content:"ix="; nocase; http_uri; pcre:"/wp-includes\x2Ffeed\x2Ephp\x3F[^\r\n]*ix=/Ui"; metadata:policy security-ips drop; classtype:trojan-activity; 10196 BACKDOOR Wordpress backdoor feed.php code execution attempt www.securityfocus.com/archive/1/461794 22797 trojan-activity 2007-1277 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"wp-includes/theme.php"; nocase; http_uri; content:"iz="; nocase; http_uri; pcre:"/wp-includes\x2Ftheme\x2Ephp\x3F[^\r\n]*iz=/Ui"; metadata:policy security-ips drop; classtype:trojan-activity; 10197 BACKDOOR Wordpress backdoor theme.php code execution attempt www.securityfocus.com/archive/1/461794 attempted-admin 2005-1921 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:"<methodCall><methodName>"; distance:0; content:"</methodName><params><param><name>"; distance:0; content:"'|29 3B|echo|28|'"; distance:0; content:"'|29 3B| passthru|28|chr|28|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-admin; 13816 SPECIFIC-THREATS Metasploit Framework xmlrpc.php command injection attempt attempted-admin 2005-1921 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:"<methodCall><methodName>"; distance:0; content:"</methodName><params><param><value><name>"; distance:0; content:"',''|29 29 3B|echo '_begin_|0A|'|3B|echo"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-admin; 13817 SPECIFIC-THREATS xmlrpc.php command injection attempt attempted-admin 2005-1921 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST"; depth:4; content:"xml version"; distance:0; content:"<methodCall><methodName>"; distance:0; content:"</methodName><params><param><value><string></string></value></param><param><value><string>"; distance:0; content:"AND ascii|28|substring|28|pass,1,1|29 29 0A|/**/BETWEEN/**/52/**/AND/**/58|29|/*"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 13818 SPECIFIC-THREATS alternate xmlrpc.php command injection attempt 30667 attempted-admin 2008-3681 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"task=confirmreset"; nocase; http_uri; content:"option=com_user"; http_uri; content:"token=%27&"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 14610 WEB-PHP Joomla invalid token administrative password reset attempt developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html attempted-admin 2008-4006 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"common.php"; http_uri; content:"rbtool="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 15257 ORACLE Secure Backup common.php variable based command injection attempt attempted-admin 2008-5449 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"login.php"; http_uri; content:"rbtool="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 15258 ORACLE Secure Backup login.php variable based command injection attempt 32123 web-application-attack 2008-6301 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"shoutbox_view.php"; fast_pattern; nocase; http_uri; content:"mode="; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/shoutbox_view.php\x3F[^\r\n]*mode\s*=\s*(delete|edit)[^\r\n]*id\s*=\s*[^\r\n\x26]*[^\d]+/Usmi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; 15424 WEB-PHP phpBB mod shoutbox sql injection attempt 32701 web-application-attack 2008-6314 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"tag_board.php"; fast_pattern; nocase; http_uri; content:"action=delete"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/tag_board.php\x3F[^\r\n]*action=delete[^\r\n]*id=[^\r\n\x26]*(select|insert|delete)/Usmi"; metadata:policy security-ips alert, service http; classtype:web-application-attack; 15425 WEB-PHP phpBB mod tag board sql injection attempt 28845 web-application-attack 2008-4769 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"/wordpress/"; fast_pattern; nocase; http_uri; content:"cat="; nocase; content:"../"; distance:0; pcre:"/\x2Fwordpress\x2F\x3F[^\r\n]*cat\s*=\s*[^\r\n\x26]*\x2F\x2E\x2E/smi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 15432 WEB-PHP wordpress cat parameter arbitrary file execution attempt 10724 attempted-user 2004-0595 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/strip/getPoc.php?note=%3Cs%00cript%3Ealert%28%27Oops!%27%29%3B%3C%2Fs%00cript%3E"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15977 SPECIFIC-THREATS PHP strip_tags bypass vulnerability exploit attempt 35678 attempted-admin 2009-1978 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"property_box.php?"; http_uri; content:"type=Sections"; http_uri; content:"other="; http_uri; pcre:"/other=[^\x26]*[\x21-\x24\x27\x28-\x2a\x2d\x2f\x3b\x3c\x3e\x3f\x40\x5b-\x5d\x7b-\x7e]/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16190 ORACLE Oracle Secure Backup Administration server property_box.php command injection attempt web-application-attack 2009-4511 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"helppage.php"; fast_pattern; nocase; http_uri; content:"page="; nocase; http_uri; content:".."; http_uri; metadata:policy security-ips drop, service http; classtype:web-application-attack; 16678 WEB-PHP Tandberg VCS local file disclosure attempt secunia.com/advisories/39275/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/inst.php?fff="; nocase; http_uri; content:"coid="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16924 BLACKLIST URI request for known malicious URI - /inst.php?fff= labs.snort.org/docs/16924.html 19819 attempted-user tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"/jhot.php"; nocase; http_uri; content:"Content-Disposition|3A|"; nocase; content:"filename="; nocase; pcre:"/^Content-Disposition\x3A[^\r\n]*filename=(?P<q1>\x22|\x27|)[^\r\n]*?\x2Ephp(?P=q1)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17597 WEB-PHP TikiWiki jhot.php script file upload attempt tikiwiki.org/tiki-read_article.php?articleid=136 33177 attempted-admin 2008-4006 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server, established; content:"login.php"; http_uri; content:"button|3D|Logout"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17638 Oracle Secure Backup Administration Server login.php Cookies Command Injection attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/online.php?"; nocase; http_uri; content:"Host|3A| actualnames.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5744 SPYWARE-PUT Hijacker actualnames runtime detection - online.php request www3.ca.com/securityadvisor/pest/pest.aspx?id=453074941 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cache/ip.php"; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:policy security-ips alert, service http; classtype:misc-activity; 5848 SPYWARE-PUT Adware warez_p2p runtime detection - ip.php request www.spywareguide.com/category_show.php?id=5 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/crakzpackz/sys/add.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"vicname="; nocase; http_uri; content:"server=DSK"; nocase; http_uri; content:"password="; nocase; http_uri; content:"usrname="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6020 BACKDOOR dsk lite 1.0 runtime detection - php notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"body=FeaR"; nocase; http_uri; pcre:"/body=FeaR\x25200\x2E2\x2E0\x2520Online\x3A\x2520\x5BIP_\d+\x2E\d+\x2E\d+\x2E\d+\x5D\x2520\x5BPort_/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6042 BACKDOOR fear 0.2 runtime detection - php notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 17292 web-application-attack 2006-1491 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/services/help/"; http_uri; pcre:"/[\?\x20\x3b\x26]module=[a-zA-Z0-9]*[\x3b\x26]/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 6403 WEB-PHP horde help module arbitrary command execution attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?action=post"; fast_pattern; nocase; http_uri; content:"log="; http_uri; pcre:"/log\=\x7BIP\x3A[^\x7B\r\n]*\x7D\x7BOS\x3A[^\x7B\r\n]*\x7D\x7BSysuptime\x3A[^\x7B\r\n]*\x7D\x7BTrojan\x3A[^\x7B\r\n]*\x7D\x7BPort\x3A[^\x7B\r\n]*\x7D\x7BPassword\x3A[^\x7B\r\n]*\x7D\x7BUser\x3A/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7149 SPYWARE-PUT Hacker-Tool sars notifier runtime detection - php notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/roach/notify/getip.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.kornputers.com"; nocase; http_header; metadata:policy security-ips drop; classtype:trojan-activity; 7639 BACKDOOR air runtime detection - php notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Notificacion.php"; nocase; http_uri; content:"puerto="; nocase; http_uri; content:"version=1.0"; nocase; http_uri; content:"nombre="; nocase; http_uri; content:"pc="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 9653 BACKDOOR apofis 1.0 runtime detection - php notification www.megasecurity.org/trojans/a/apofis/Apofis1.0.html 217 Server / HTTP / PHP 802 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:service http; classtype:web-application-attack; 1085 WEB-PHP strings overflow 1786 web-application-attack 2000-0967 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?STRENGUR"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1086 WEB-PHP strings overflow 2271 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin.php3"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1134 WEB-PHP Phorum admin access 2274 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:service http; classtype:attempted-recon; 1137 WEB-PHP Phorum authentication access 1149 attempted-recon 2000-0322 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/passwd.php3"; http_uri; metadata:service http; classtype:attempted-recon; 1161 WEB-PHP piranha passwd.php3 access 14667 attempted-user 2005-2733 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flow:to_server,established; content:"sphpblog"; http_uri; content:"password.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-user; 11664 WEB-PHP sphpblog password.txt access attempt 14667 attempted-user 2005-2733 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flow:to_server,established; content:"sphpblog"; http_uri; content:"install03_cgi.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-user; 11665 WEB-PHP sphpblog install03_cgi access attempt 14667 attempted-user 2005-2733 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flow:to_server,established; content:"sphpblog"; http_uri; content:"upload_img_cgi.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-user; 11666 WEB-PHP sphpblog upload_img_cgi access attempt 14667 attempted-user 2005-2733 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flow:to_server,established; content:"sphpblog"; http_uri; content:"comment_delete_cgi.php"; fast_pattern; nocase; http_uri; pcre:"/comment=[^\x26\s]*[\x2f\x5c]/sUmi"; metadata:service http; classtype:attempted-user; 11667 WEB-PHP sphpblog arbitrary file delete attempt attempted-user 2005-0511 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flow:to_server,established; content:"misc.php"; http_uri; pcre:"/template\s*=\s*\x7b\x24/sUmi"; metadata:service http; classtype:attempted-user; 11668 WEB-PHP vbulletin php code injection marc.info/?l=bugtraq&m=110910899415763&w=2 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/read.php3"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1178 WEB-PHP Phorum read access 2272 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/violation.php3"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1179 WEB-PHP Phorum violation access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/code.php3"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1197 WEB-PHP Phorum code access 15250 web-application-attack 2005-3390 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Content-Type|3A| multipart/form-data"; http_header; content:"name="; nocase; content:"GLOBALS"; within:7; distance:1; metadata:service http; classtype:web-application-attack; 12221 WEB-PHP file upload GLOBAL variable overwrite attempt 3079 attempted-user 2001-1370 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:service http; classtype:attempted-user; 1254 WEB-PHP PHPLIB remote command attempt 14910 3079 attempted-user 2001-1370 tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/db_mysql.inc"; http_uri; metadata:service http; classtype:attempted-user; 1255 WEB-PHP PHPLIB remote command attempt web-application-attack 2004-1315 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"viewtopic.php"; http_uri; content:"highlight="; http_uri; content:"%25"; metadata:service http; classtype:web-application-attack; 12610 WEB-PHP phpBB viewtopic double URL encoding attempt 3361 attempted-admin 2001-1032 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin.php"; fast_pattern; nocase; http_uri; content:"file_name="; metadata:service http; classtype:attempted-admin; 1300 WEB-PHP admin.php file upload attempt 9270 attempted-recon 2001-1032 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1301 WEB-PHP admin.php access 3889 web-application-attack 2002-0206 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; pcre:"/file=(https?|ftps?|php)/i"; metadata:service http; classtype:web-application-attack; 1399 WEB-PHP PHP-Nuke remote file include attempt 3982 web-application-activity 2002-0220 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/smssend.php"; http_uri; metadata:service http; classtype:web-application-activity; 1407 WEB-PHP smssend.php access 4183 web-application-attack 2002-0081 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"name=|22 CC CC CC CC CC|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1423 WEB-PHP content-disposition memchr overflow 10867 1997 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/support/common.php"; http_uri; content:"ForumLang=../"; metadata:service http; classtype:web-application-attack; 1490 WEB-PHP Phorum /support/common.php attempt 9361 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/support/common.php"; http_uri; metadata:service http; classtype:web-application-attack; 1491 WEB-PHP Phorum /support/common.php access 10725 attempted-user 2004-0594 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"---------------------------153501500631101"; http_header; metadata:service http; classtype:attempted-user; 16078 SPECIFIC-THREATS PHP memory_limit vulnerability exploit attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/32647543ygwvrhbjt3h4evjrbgnrt.php"; http_uri; content:"Host|3A| all1count.net"; nocase; classtype:trojan-activity; 16243 BACKDOOR downloader-ash.gen.b runtime detection - 3264.php www.threatexpert.com/report.aspx?md5=bffe465b5949e78821ffb76b0ed25bb4 policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=cmd"; http_uri; classtype:policy-violation; 16613 BACKDOOR c99shell.php command request - cmd vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=search"; http_uri; classtype:policy-violation; 16614 BACKDOOR c99shell.php command request - search vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=upload"; http_uri; classtype:policy-violation; 16615 BACKDOOR c99shell.php command request - upload vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=about"; http_uri; classtype:policy-violation; 16616 BACKDOOR c99shell.php command request - about vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=encoder"; http_uri; classtype:policy-violation; 16617 BACKDOOR c99shell.php command request - encoder vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=bind"; http_uri; classtype:policy-violation; 16618 BACKDOOR c99shell.php command request - bind vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=ps_aux"; http_uri; classtype:policy-violation; 16619 BACKDOOR c99shell.php command request - ps_aux vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=ftpquickbrute"; http_uri; classtype:policy-violation; 16620 BACKDOOR c99shell.php command request - ftpquickbrute vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=security"; http_uri; classtype:policy-violation; 16621 BACKDOOR c99shell.php command request - security vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=sql"; http_uri; classtype:policy-violation; 16622 BACKDOOR c99shell.php command request - sql vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=eval"; http_uri; classtype:policy-violation; 16623 BACKDOOR c99shell.php command request - eval vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=feedback"; http_uri; classtype:policy-violation; 16624 BACKDOOR c99shell.php command request - feedback vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=selfremove"; http_uri; classtype:policy-violation; 16625 BACKDOOR c99shell.php command request - selfremove vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=fsbuff"; http_uri; classtype:policy-violation; 16626 BACKDOOR c99shell.php command request - fsbuff vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=ls"; http_uri; classtype:policy-violation; 16627 BACKDOOR c99shell.php command request - ls vil.nai.com/vil/content/v_136948.htm policy-violation tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"act=phpinfo"; http_uri; classtype:policy-violation; 16628 BACKDOOR c99shell.php command request - phpinfo vil.nai.com/vil/content/v_136948.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"count_log/log/boot.php?p="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16913 BLACKLIST URI request for known malicious URI - count_log/log/boot.php?p= labs.snort.org/docs/16913.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?username=coolweb07&keywords="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16923 BLACKLIST URI request for known malicious URI - /search.php?username=coolweb07&keywords= labs.snort.org/docs/16923.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/message.php?subid="; nocase; http_uri; content:"version=_nn2"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16925 BLACKLIST URI request for known malicious URI - /message.php?subid= labs.snort.org/docs/16925.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"MGWEB.php?c=TestUrl"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16927 BLACKLIST URI request for known malicious URI - MGWEB.php?c=TestUrl labs.snort.org/docs/16927.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"gate.php?guid="; nocase; http_uri; content:"stat=ONLINE"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16929 BLACKLIST URI request for known malicious URI - gate.php?guid= labs.snort.org/docs/16929.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"feedbigfoot.php?m="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16931 BLACKLIST URI request for known malicious URI - feedbigfoot.php?m= labs.snort.org/docs/16931.html 3952 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/squirrelspell/modules/check_me.mod.php"; fast_pattern; nocase; http_uri; content:"SQSPELL_APP["; nocase; metadata:service http; classtype:web-application-attack; 1736 WEB-PHP squirrel mail spell-check arbitrary command attempt 4385 web-application-attack 2002-0516 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/left_main.php"; nocase; http_uri; content:"cmdd="; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1737 WEB-PHP squirrel mail theme arbitrary command attempt 4617 web-application-attack 2002-0613 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dnstools.php"; nocase; http_uri; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1739 WEB-PHP DNSTools administrator authentication bypass attempt 4617 web-application-attack 2002-0613 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dnstools.php"; fast_pattern; nocase; http_uri; content:"user_logged_in=true"; metadata:service http; classtype:web-application-attack; 1740 WEB-PHP DNSTools authentication bypass attempt 4617 web-application-activity 2002-0613 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dnstools.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1741 WEB-PHP DNSTools access 4618 web-application-attack 2002-0599 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dostuff.php?action=modify_user"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1742 WEB-PHP Blahz-DNS dostuff.php modify user attempt 4618 web-application-activity 2002-0599 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dostuff.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1743 WEB-PHP Blahz-DNS dostuff.php access 4635 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/supp_membre.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1745 WEB-PHP Messagerie supp_membre.php access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/php.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1773 WEB-PHP php.exe access www.securitytracker.com/alerts/2002/Jan/1003104.html web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb_smilies.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1774 WEB-PHP bb_smilies.php access www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/get2.php?c=VTOXUGUI&d=26606B6739343F216560"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17898 BLACKLIST URI request for known malicious URI - /get2.php?c=VTOXUGUI&d=26606B6739343F216560 labs.snort.org/docs/17898.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"1de49069b6044785e9dfcd4c035cfd0c.php"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17905 BLACKLIST URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php labs.snort.org/docs/17905.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"2x/"; nocase; http_uri; pcre:"/2x/.*php/Ui"; content:"p=ck"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17906 BLACKLIST URI request for known malicious URI - 2x/.*php labs.snort.org/docs/17906.html 4278 misc-attack 2002-0434 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/directory.php"; http_uri; content:"dir="; content:"|3B|"; metadata:service http; classtype:misc-attack; 1815 WEB-PHP directory.php arbitrary command attempt 11017 4278 misc-attack 2002-0434 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/directory.php"; http_uri; metadata:service http; classtype:misc-attack; 1816 WEB-PHP directory.php access 5254 web-application-attack 2002-1070 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/modules.php?"; http_uri; content:"name=Wiki"; fast_pattern; nocase; http_uri; content:"<script"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1834 WEB-PHP PHP-Wiki cross site scripting attempt 6173 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/quick-reply.php"; http_uri; content:"phpbb_root_path="; metadata:service http; classtype:web-application-attack; 1967 WEB-PHP phpbb quick-reply.php arbitrary command attempt 6173 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/quick-reply.php"; http_uri; metadata:service http; classtype:web-application-activity; 1968 WEB-PHP phpbb quick-reply.php access 3288 web-application-activity 2001-1020 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/edit_image.php"; http_uri; metadata:service http; classtype:web-application-activity; 1999 WEB-PHP edit_image.php access 11104 web-application-activity 2001-1408 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/readmsg.php"; http_uri; metadata:service http; classtype:web-application-activity; 2000 WEB-PHP readmsg.php access 11073 6572 web-application-attack 2003-1204 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/uploadimage.php"; http_uri; content:"userfile_name="; content:".php"; distance:1; metadata:service http; classtype:web-application-attack; 2074 WEB-PHP Mambo uploadimage.php upload php file attempt 16315 6572 web-application-attack 2003-1204 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/upload.php"; http_uri; content:"userfile_name="; content:".php"; distance:1; metadata:service http; classtype:web-application-attack; 2075 WEB-PHP Mambo upload.php upload php file attempt 16315 6572 web-application-activity 2003-1204 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/uploadimage.php"; http_uri; metadata:service http; classtype:web-application-activity; 2076 WEB-PHP Mambo uploadimage.php access 16315 6634 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/privmsg.php"; http_uri; metadata:service http; classtype:web-application-activity; 2078 WEB-PHP phpBB privmsg.php access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/p-news.php"; http_uri; metadata:service http; classtype:web-application-activity; 2140 WEB-PHP p-news.php access 11669 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/shoutbox.php"; http_uri; content:"conf="; content:"../"; distance:0; metadata:service http; classtype:web-application-attack; 2141 WEB-PHP shoutbox.php directory traversal attempt 11668 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/shoutbox.php"; fast_pattern; nocase; http_uri; content:"conf="; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2142 WEB-PHP shoutbox.php access 11668 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:service http; classtype:web-application-attack; 2143 WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt 11667 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2144 WEB-PHP b2 cafelog gm-2-b2.php access 11667 7673 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=admin"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 2145 WEB-PHP TextPortal admin.php default password admin attempt 11660 7673 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=12345"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 2146 WEB-PHP TextPortal admin.php default password 12345 attempt 11660 7677 web-application-attack 2003-0394 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/objects.inc.php4"; http_uri; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:service http; classtype:web-application-attack; 2147 WEB-PHP BLNews objects.inc.php4 remote file include attempt 11647 7677 web-application-activity 2003-0394 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/objects.inc.php4"; http_uri; metadata:service http; classtype:web-application-activity; 2148 WEB-PHP BLNews objects.inc.php4 access 11647 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/turba/status.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2149 WEB-PHP Turba status.php access 11646 7625 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin/templates/header.php"; fast_pattern; nocase; http_uri; content:"admin_root="; pcre:"/admin_root=(https?|ftps?|php)/"; metadata:service http; classtype:web-application-attack; 2150 WEB-PHP ttCMS header.php remote file include attempt 11636 7625 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin/templates/header.php"; http_uri; metadata:service http; classtype:web-application-activity; 2151 WEB-PHP ttCMS header.php access 11636 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/test.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2152 WEB-PHP test.php access 11617 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/autohtml.php"; fast_pattern; nocase; http_uri; content:"name="; content:"../../"; distance:0; metadata:service http; classtype:web-application-attack; 2153 WEB-PHP autohtml.php directory traversal attempt 11630 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/autohtml.php"; http_uri; metadata:service http; classtype:web-application-activity; 2154 WEB-PHP autohtml.php access 11630 7543 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"forum/index.php"; http_uri; content:"template="; pcre:"/template=(https?|ftps?|php)/i"; metadata:service http; classtype:web-application-attack; 2155 WEB-PHP ttforum remote file include attempt 11615 7919 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"lib.inc.php"; fast_pattern; nocase; http_uri; content:"pm_path="; pcre:"/pm_path=(https?|ftps?|php)/"; metadata:service http; classtype:web-application-attack; 2226 WEB-PHP pmachine remote file include attempt 11739 7933 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"forum_details.php"; http_uri; metadata:service http; classtype:web-application-attack; 2227 WEB-PHP forum_details.php access 11760 7965 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"db_details_importdocsql.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 2228 WEB-PHP phpMyAdmin db_details_importdocsql.php access 11761 7979 web-application-attack 2003-0486 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/viewtopic.php"; fast_pattern; nocase; http_uri; content:"days="; nocase; http_uri; metadata:service http; classtype:web-application-attack; 2229 WEB-PHP viewtopic.php access 11767 9057 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/UpdateClasses.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2279 WEB-PHP UpdateClasses.php access 9057 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/GlobalFunctions.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2282 WEB-PHP GlobalFunctions.php access 9057 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/DatabaseFunctions.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2283 WEB-PHP DatabaseFunctions.php access 9057 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/insert.inc.php"; fast_pattern; nocase; http_uri; content:"path="; metadata:service http; classtype:web-application-attack; 2284 WEB-PHP rolis guestbook remote file include attempt 9057 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/insert.inc.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2285 WEB-PHP rolis guestbook access 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_comment.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2287 WEB-PHP Advanced Poll admin_comment.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_edit.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2288 WEB-PHP Advanced Poll admin_edit.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_embed.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2289 WEB-PHP Advanced Poll admin_embed.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_help.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2290 WEB-PHP Advanced Poll admin_help.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_license.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2291 WEB-PHP Advanced Poll admin_license.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_logout.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2292 WEB-PHP Advanced Poll admin_logout.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_password.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2293 WEB-PHP Advanced Poll admin_password.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_preview.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2294 WEB-PHP Advanced Poll admin_preview.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_settings.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2295 WEB-PHP Advanced Poll admin_settings.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_stats.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2296 WEB-PHP Advanced Poll admin_stats.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_templates_misc.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2297 WEB-PHP Advanced Poll admin_templates_misc.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_templates.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2298 WEB-PHP Advanced Poll admin_templates.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_tpl_misc_new.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2299 WEB-PHP Advanced Poll admin_tpl_misc_new.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_tpl_new.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2300 WEB-PHP Advanced Poll admin_tpl_new.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/booth.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2301 WEB-PHP Advanced Poll booth.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/poll_ssi.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2302 WEB-PHP Advanced Poll poll_ssi.php access 11487 8890 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/popup.php"; fast_pattern; nocase; http_uri; content:"include_path="; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2303 WEB-PHP Advanced Poll popup.php access 11487 8910 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/files.inc.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2304 WEB-PHP files.inc.php access 8930 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/chatbox.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2305 WEB-PHP chatbox.php access 8814 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/setup/"; http_uri; content:"GALLERY_BASEDIR="; http_uri; pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:service http; classtype:web-application-attack; 2306 WEB-PHP gallery remote file include attempt 11876 8791 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"do=ext"; http_uri; content:"page="; http_uri; pcre:"/page=(https?|ftps?|php)/Ui"; metadata:service http; classtype:web-application-attack; 2307 WEB-PHP PayPal Storefront remote file include attempt 11873 web-application-activity 2004-0032 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/authentication_index.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2328 WEB-PHP authentication_index.php access 11982 8430 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"new_rights=admin"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2331 WEB-PHP MatrikzGB privilege escalation attempt 6525 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/library/editor/editor.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:service http; classtype:web-application-attack; 2341 WEB-PHP DCP-Portal remote file include editor script attempt 6525 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/library/lib.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:service http; classtype:web-application-attack; 2342 WEB-PHP DCP-Portal remote file include lib script attempt 9369 web-application-activity 2004-0032 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"action=soundex"; fast_pattern; nocase; http_uri; content:"firstname="; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2345 WEB-PHP PhpGedView search.php access 6544 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/chatheader.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2346 WEB-PHP myPHPNuke chatheader.php access 7488 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"ideaDir="; fast_pattern:only; content:"cord.php"; nocase; metadata:service http; classtype:web-application-activity; 2353 WEB-PHP IdeaBox cord.php file include 7488 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"gorumDir="; fast_pattern:only; content:"notification.php"; nocase; metadata:service http; classtype:web-application-activity; 2354 WEB-PHP IdeaBox notification.php file include 7204 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ad_member.php"; fast_pattern; nocase; http_uri; content:"emailer.php"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2355 WEB-PHP Invision Board emailer.php file include 7000 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase; content:"db_mysql.php"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2356 WEB-PHP WebChat db_mysql.php file include 7000 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase; content:"english.php"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2357 WEB-PHP WebChat english.php file include 6984 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/translations.php"; fast_pattern; nocase; http_uri; content:"ONLY="; nocase; metadata:service http; classtype:web-application-attack; 2358 WEB-PHP Typo3 translations.php file include 6976 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ipchat.php"; nocase; http_uri; content:"root_path="; content:"conf_global.php"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2359 WEB-PHP Invision Board ipchat.php file include 6744 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/doc/admin"; nocase; http_uri; content:"ptinclude="; nocase; content:"pt_config.inc"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2360 WEB-PHP myphpPagetool pt_config.inc file include 6674 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/news.php"; fast_pattern; nocase; http_uri; content:"template="; nocase; metadata:service http; classtype:web-application-attack; 2361 WEB-PHP news.php file include 6663 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/packages.php"; fast_pattern; nocase; http_uri; content:"packer.php"; nocase; metadata:service http; classtype:web-application-attack; 2362 WEB-PHP YaBB SE packages.php file include 6597 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/default_header.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2363 WEB-PHP Cyboards default_header.php access 6597 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/options_form.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2364 WEB-PHP Cyboards options_form.php access 8488 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nphpd.php"; fast_pattern; nocase; http_uri; content:"LangFile"; nocase; metadata:service http; classtype:web-application-activity; 2365 WEB-PHP newsPHP Language file include attempt 9368 web-application-attack 2004-0030 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/authentication_index.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2366 WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt 9368 web-application-attack 2004-0030 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/functions.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2367 WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt 9368 web-application-attack 2004-0030 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/config_gedcom.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2368 WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt 9557 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/showphoto.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2372 WEB-PHP Photopost PHP Pro showphoto.php access 9537 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_admin/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2393 WEB-PHP /_admin access 12032 6965 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"newsletter.php"; nocase; http_uri; content:"waroot"; fast_pattern:only; content:"start.php"; nocase; metadata:service http; classtype:web-application-attack; 2398 WEB-PHP WAnewsletter newsletter.php file include attempt 6964 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sql/db_type.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2399 WEB-PHP WAnewsletter db_type.php access 9737 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/phptest.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2405 WEB-PHP phptest.php access 9773 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/page.php"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2410 WEB-PHP IGeneric Free Shopping Cart page.php access 9866 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/viewforum.php"; nocase; http_uri; content:"topic_id="; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2566 WEB-PHP PHPBB viewforum.php access 12093 9732 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/header.php"; nocase; http_uri; content:"systempath="; fast_pattern:only; pcre:"/systempath=(https?|ftps?|php)/i"; metadata:service http; classtype:web-application-attack; 2575 WEB-PHP Opt-X header.php remote file include attempt 10129 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/note_overview.php"; http_uri; content:"id="; metadata:service http; classtype:web-application-activity; 2588 WEB-PHP TUTOS path disclosure attempt www.securiteam.com/unixfocus/5FP0J15CKE.html 7193 web-application-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/modules.php"; nocase; http_uri; content:"name=Forums"; content:"file=viewtopic"; fast_pattern:only; pcre:"/forum=.*'/"; metadata:service http; classtype:web-application-attack; 2654 WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt 9368 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_conf.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 2926 WEB-PHP PhpGedView PGV base directory manipulation 12592 web-application-attack 2005-0481 tcp $EXTERNAL_NET any -> $HOME_NET 8090 flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"/fn=\x2e\x2e(\x2f|\x5c)/Rmsi"; metadata:service http; classtype:web-application-attack; 3544 WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt 17160 12592 web-application-activity 2005-0481 tcp $EXTERNAL_NET any -> $HOME_NET 8090 flow:to_server,established; content:"/ComGetLogFile.php3"; nocase; pcre:"/fn=Eye\d{4}_\d{2}.log/Rmsi"; metadata:service http; classtype:web-application-activity; 3545 WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure 17160 12592 web-application-attack 2005-0481 tcp $EXTERNAL_NET any -> $HOME_NET 8090 flow:to_server,established; content:"php"; nocase; pcre:"/php.*\x3f[^\n]{256}/smi"; metadata:service http; classtype:web-application-attack; 3547 WEB-MISC TrackerCam overly long php parameter overflow attempt 10798 web-application-activity 2004-2056 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"action.php"; fast_pattern; nocase; http_uri; content:"itemid="; nocase; pcre:"/itemid=\d*[^\d\&\;\r\n]/i"; metadata:service http; classtype:web-application-activity; 3690 WEB-CGI Nucleus CMS action.php itemid SQL injection 14194 14088 web-application-attack 2005-1921 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/xmlrpc.php"; fast_pattern; nocase; http_uri; pcre:"/^POST\s/smi"; metadata:service http; classtype:web-application-attack; 3827 WEB-PHP xmlrpc.php post attempt 14042 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cacti/graph_image.php"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 4650 WEB-MISC cacti graph_image.php access misc-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"POST"; content:"upload.php"; fast_pattern; nocase; http_uri; pcre:"/^Content-Type\x3A\s+multipart\/form-data/smiH"; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/filename=\S*\x2e\x2e\x2f/smiH"; content:"|0A|"; distance:0; metadata:service http; classtype:misc-attack; 5709 WEB-PHP file upload directory traversal bugs.php.net/bug.php?id=28456 712 attempted-recon 1999-0238 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/php.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 824 WEB-CGI php.cgi access 10178 14533 attempted-admin 2005-2612 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"wp_filter"; pcre:"/cache_lastpostdate\[[^\]]+\]=[^\x00\x3B\x3D]{30}/smi"; metadata:service http; classtype:attempted-admin; 8708 WEB-PHP Wordpress cache_lastpostdate code injection attempt 14129 web-application-attack 2005-1524 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"graph_image.php"; nocase; http_uri; pcre:"/graph_(start|end|height|width)=(?!(\d+|)[\x26\s])/smi"; metadata:service http; classtype:web-application-attack; 8712 WEB-PHP cacti graph_image arbitrary command execution attempt 14129 web-application-attack 2005-2148 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"graph_image.php"; nocase; http_uri; pcre:"/rra_id=(?!(\d+|all|)([\x26\s]|$))/smi"; metadata:service http; classtype:web-application-attack; 8713 WEB-PHP cacti graph_image SQL injection attempt 14129 web-application-attack 2005-2148 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"graph_image.php"; nocase; http_uri; pcre:"/local_graph_id=(?!(\d+|)([\x26\s]|$))/smi"; metadata:service http; classtype:web-application-attack; 8714 WEB-PHP cacti graph_image SQL injection attempt 14129 web-application-attack 2005-2148 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"graph.php"; nocase; http_uri; pcre:"/rra_id=(?!(\d+|all|)([\x26\s]|$))/smi"; metadata:service http; classtype:web-application-attack; 8715 WEB-PHP cacti graph_image SQL injection attempt 14129 web-application-attack 2005-2148 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"graph.php"; nocase; http_uri; pcre:"/local_graph_id=(?!(\d+|)([\x26\s]|$))/smi"; metadata:service http; classtype:web-application-attack; 8716 WEB-PHP cacti graph_image SQL injection attempt 26741 attempted-user 2008-0067 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"|2F|OvCgi|2F|"; fast_pattern; nocase; http_uri; isdataat:1024; pcre:"/^\x2FOvCgi\x2F[^\x2E]*?\x2Eexe[^\h]{1024}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13161 EXPLOIT HP OpenView CGI parameter buffer overflow attempt 28020 web-application-attack 2008-1365 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"/cgiablogon.exe"; fast_pattern:only; content:"CRYPT"; nocase; isdataat:512,relative; pcre:"/pwd=(\!|\%21)CRYPT(\!|\%21)[A-Z0-9]{512}/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:web-application-attack; 13591 WEB-CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt secunia.com/advisories/29124 28222 attempted-admin 2008-0532 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/CSuserCGI.exe?Logout"; nocase; http_uri; pcre:"/\x2FCSuserCGI\x2Eexe\x3FLogout.[^\s]{96}/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 13656 WEB-MISC Cisco Secure Access Control Server UCP Application CSuserCGI.exe buffer overflow attempt www.cisco.com/warp/public/707/cisco-sa-20080312-ucp.shtml 33177 attempted-admin 2008-5440 tcp $EXTERNAL_NET any -> $HOME_NET 17000 flow:to_server,established; content:"GET "; depth:4; nocase; content:"evtdump?"; distance:0; nocase; pcre:"/evtdump\x3f.*?\x2525[^\x20]*?\x20HTTP/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 15264 WEB-CGI Oracle TimesTen In-Memory Database evtdump CGI module format string exploit attempt 31139 attempted-admin 2008-2437 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/cgi/cgiRecvFile.exe"; http_uri; content:"ComputerName"; pcre:"/ComputerName\s*\x3d\s*\x22[^\x22]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 15510 WEB-CLIENT Trend Micro OfficeScan Server cgiRecvFile overflow attempt 15703 web-application-attack 2005-4031 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/wiki"; nocase; http_uri; content:"?uselang="; fast_pattern; nocase; http_uri; pcre:"/\x2fwiki[^\n]*\x3fuselang=[^\n\x26\x3f]*[a-zA-Z\x2d]/Usmi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 16079 WEB-CGI uselang code injection attempted-user 2010-1555 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST"; nocase; http_method; content:"|2F|OvCgi|2F|"; fast_pattern; http_uri; content:"Content|2D|Length|3A|"; byte_test:4,>,500,1,relative,hex,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16674 WEB-MISC HP OpenView CGI parameter buffer overflow attempt 25622 attempted-user 2007-4727 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"SCRIPT_FILENAME/etc/passwd|06 80 00|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17386 SPECIFIC-THREATS Lighttpd mod_fastcgi Extension CGI Variable Overwriting Vulnerability attempt 28020 web-application-attack 2008-1365 tcp $EXTERNAL_NET any -> $HOME_NET 8081 flow:to_server,established; content:"/cgiablogon.exe"; fast_pattern:only; content:"CRYPT"; nocase; isdataat:512,relative; pcre:"/pwd=(\!|\%21)CRYPT(\!|\%21)[^\r|\n|&]{513}/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:web-application-attack; 17605 WEB-CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt secunia.com/advisories/29124 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/"; nocase; http_uri; content:".fcgi"; nocase; http_uri; pcre:"/\x2Fcgi-bin\x2F[a-zA-Z0-9_]*\.fcgi/Ui"; content:"Host|3A| begin2search.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5764 SPYWARE-PUT Hijacker begin2search runtime detection - fcgi query www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/track.cgi?"; nocase; http_uri; content:"prov=INTERNAL"; nocase; http_uri; content:"prog="; nocase; http_uri; content:"siteid="; nocase; http_uri; content:"group="; nocase; http_uri; content:"Host|3A| track.aadserver.net"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5945 SPYWARE-PUT Adware weirdontheweb runtime detection - track.cgi request www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/log.cgi?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"vicname="; nocase; http_uri; content:"server=DSK"; nocase; http_uri; content:"password="; nocase; http_uri; content:"usrname="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6019 BACKDOOR dsk lite 1.0 runtime detection - cgi notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"id=FeaR-Server"; nocase; http_uri; content:"win="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; content:"s7pass="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6043 BACKDOOR fear 0.2 runtime detection - cgi notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"win="; nocase; http_uri; content:"pass="; nocase; http_uri; content:"connection="; nocase; http_uri; content:"id=NEUROTICKA"; nocase; http_uri; content:"s7pass="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6059 BACKDOOR neurotickat1.3 runtime detection - cgi notification www3.ca.com/securityadvisor/pest/pest.aspx?id=31859 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"nick=minibeta"; nocase; http_uri; content:"country="; nocase; http_uri; content:"visible="; nocase; http_uri; content:"protected="; nocase; http_uri; content:"about="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 7076 BACKDOOR minimo v0.6 runtime detection - cgi notification misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?action=log"; fast_pattern; nocase; http_uri; content:"port="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7148 SPYWARE-PUT Hacker-Tool sars notifier runtime detection - cgi notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/counter3.cgi?"; fast_pattern; nocase; http_uri; content:"p=moneytreck"; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7524 SPYWARE-PUT Hijacker moneybar runtime detection - cgispy counter www.aladdin.com/home/csrt/grayware-list2.asp?GraywareNo=277 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"action="; nocase; http_uri; content:"User-Agent|3A| http protocol"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 7540 SPYWARE-PUT Hacker-Tool unify runtime detection - cgi notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453074224 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/prorat.cgi"; nocase; http_uri; content:"bilgisayaradi="; nocase; http_uri; content:"ipadresi="; nocase; http_uri; content:"serverportu="; nocase; http_uri; content:"kurban="; nocase; http_uri; content:"servermodeli="; nocase; http_uri; content:"serversaati="; nocase; http_uri; content:"servertarihi="; nocase; http_uri; content:"serversifre="; nocase; http_uri; content:"islem="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 7722 BACKDOOR prorat 1.9 cgi notification detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"nick="; nocase; http_uri; content:"os="; nocase; http_uri; content:"compname="; nocase; http_uri; content:"protected="; nocase; http_uri; flowbits:set,nova_cgi_cts; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7742 BACKDOOR nova 1.0 runtime detection - cgi notification client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030 trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,nova_cgi_cts; content:"|23| Nova CGI Notification Script"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7743 BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030 218 Server / HTTP / CGI 2156 web-application-attack 2001-0075 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/technote/main.cgi"; fast_pattern; nocase; http_uri; content:"filename="; nocase; content:"../../"; metadata:service http; classtype:web-application-attack; 1051 WEB-CGI technote main.cgi file directory traversal attempt 10584 2156 web-application-attack 2001-0075 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/technote/print.cgi"; fast_pattern; nocase; http_uri; content:"board="; nocase; content:"../../"; content:"%00"; metadata:service http; classtype:web-application-attack; 1052 WEB-CGI technote print.cgi directory traversal attempt 10584 2103 web-application-attack 2001-0025 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ads.cgi"; fast_pattern; nocase; http_uri; content:"file="; nocase; content:"../../"; content:"|7C|"; metadata:service http; classtype:web-application-attack; 1053 WEB-CGI ads.cgi command execution attempt 11464 1774 web-application-attack 2000-1005 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/web_store.cgi"; http_uri; content:"page=../"; metadata:service http; classtype:web-application-attack; 1088 WEB-CGI eXtropia webstore directory traversal 10532 1777 web-application-attack 2000-0921 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/shop.cgi"; http_uri; content:"page=../"; metadata:service http; classtype:web-application-attack; 1089 WEB-CGI shopping cart directory traversal web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri; content:"config.ini"; metadata:service http; classtype:web-application-attack; 1090 WEB-CGI Allaire Pro Web Shell attempt 1772 web-application-attack 2000-0924 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.cgi?keys"; http_uri; content:"catigory=../"; metadata:service http; classtype:web-application-attack; 1092 WEB-CGI Armada Style Master Index directory traversal 10562 www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt 1762 web-application-attack 2000-0906 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cached_feed.cgi"; http_uri; content:"../"; metadata:service http; classtype:web-application-attack; 1093 WEB-CGI cached_feed.cgi moreover shopping cart directory traversal 1725 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webplus.cgi?Script=/webplus/webping/webping.wml"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1097 WEB-CGI Talentsoft Web+ exploit attempt 6472 web-application-activity 2006-6679 tcp $EXTERNAL_NET any -> $HOME_NET 80 flow:to_server,established; content:"chetcpasswd.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 10999 WEB-CGI chetcpasswd access 1431 web-application-activity 2000-0590 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1106 WEB-CGI Poll-it access 10459 128 web-application-activity 1999-0021 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/count.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1149 WEB-CGI count.cgi access 10049 374 web-application-activity 1999-0039 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webdist.cgi"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1163 WEB-CGI webdist.cgi access 10299 778 web-application-activity 1999-1550 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bigconf.cgi"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1172 WEB-CGI bigconf.cgi access 10027 2002 web-application-activity 1999-0260 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/jj"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1174 WEB-CGI /cgi-bin/jj access 10131 11043 web-application-activity 2004-0798 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 11817 WEB-CGI WhatsUpGold configuration access 1104 web-application-attack 2000-0287 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri; content:"mail"; nocase; metadata:service http; classtype:web-application-attack; 1185 WEB-CGI bizdbsearch attempt 10383 1052 web-application-attack 2000-0180 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sojourn.cgi?cat="; fast_pattern; nocase; http_uri; content:"%00"; nocase; metadata:service http; classtype:web-application-attack; 1194 WEB-CGI sojourn.cgi File attempt 10349 1052 web-application-activity 2000-0180 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sojourn.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1195 WEB-CGI sojourn.cgi access 10349 1031 web-application-attack 2000-0207 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/infosrch.cgi?"; fast_pattern; nocase; http_uri; content:"fname="; nocase; metadata:service http; classtype:web-application-attack; 1196 WEB-CGI SGI InfoSearch fname attempt 10128 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ax-admin.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1204 WEB-CGI ax-admin.cgi access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/axs.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1205 WEB-CGI axs.cgi access 11043 web-application-attack 2004-0798 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7777 flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern; nocase; http_uri; pcre:"/instancename=[^&\x3b\r\n]{513}/smi"; metadata:service http; classtype:web-application-attack; 12056 WEB-CGI WhatsUpGold instancename overflow attempt 11043 web-application-activity 2004-0798 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7777 flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 12057 WEB-CGI WhatsUpGold configuration access 2059 web-application-activity 1999-0710 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cachemgr.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1206 WEB-CGI cachemgr.cgi access 10034 3155 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/responder.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1208 WEB-CGI responder.cgi access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/web-map.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1211 WEB-CGI web-map.cgi access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ministats/admin.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1215 WEB-CGI ministats admin access 564 web-application-activity 1999-0913 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dfire.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1219 WEB-CGI dfire.cgi access 2374 web-application-activity 2001-0224 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/empower?DB"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1221 WEB-MISC Muscat Empower cgi access 10609 2372 web-application-attack 2001-0217 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pals-cgi"; fast_pattern; nocase; http_uri; content:"documentName="; metadata:service http; classtype:web-application-attack; 1222 WEB-CGI pals-cgi arbitrary file access attempt 10611 4448 web-application-activity 2002-1750 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"csGuestbook.cgi"; http_uri; content:"command=savesetup&setup="; http_uri; classtype:web-application-activity; 12255 WEB-CGI CSGuestbook setup attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/txt2html.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1304 WEB-CGI txt2html.cgi access web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/txt2html.cgi"; http_uri; content:"/../../../../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1305 WEB-CGI txt2html.cgi directory traversal attempt 2385 web-application-attack 2001-0305 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/store.cgi"; nocase; http_uri; content:"product="; content:"../.."; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1306 WEB-CGI store.cgi product directory traversal attempt 2385 web-application-activity 2001-0305 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1307 WEB-CGI store.cgi access 10639 3673 attempted-recon 2001-1100 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sendmessage.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1308 WEB-CGI sendmessage.cgi access attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/zsh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1309 WEB-CGI zsh access www.cert.org/advisories/CA-1996-11.html 3755 attempted-recon 2001-1206 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/lastlines.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1392 WEB-CGI lastlines.cgi access 3759 web-application-activity 2001-1209 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/zml.cgi"; http_uri; content:"file=../"; metadata:service http; classtype:web-application-activity; 1395 WEB-CGI zml.cgi attempt 10830 3759 web-application-activity 2001-1209 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/zml.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1396 WEB-CGI zml.cgi access 10830 2370 web-application-attack 2001-0214 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/way-board/way-board.cgi"; http_uri; content:"db="; content:"../.."; nocase; metadata:service http; classtype:web-application-attack; 1397 WEB-CGI wayboard attempt 10610 3985 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri; content:"template="; nocase; metadata:service http; classtype:web-application-activity; 1405 WEB-CGI AHG search.cgi access 3976 web-application-activity 2002-0215 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/store/agora.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1406 WEB-CGI agora.cgi access 10836 2728 attempted-recon 2001-0527 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dcboard.cgi"; http_uri; metadata:service http; classtype:attempted-recon; 1410 WEB-CGI dcboard.cgi access 10583 2563 attempted-recon 2001-0400 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nph-maillist.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1451 WEB-CGI NPH-maillist access 10164 attempted-recon 1999-1180 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/args.cmd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1452 WEB-CGI args.cmd access 11465 attempted-recon 1999-1072 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/AT-generated.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1453 WEB-CGI AT-generated.cgi access attempted-recon 2001-0223 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wwwwais"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1454 WEB-CGI wwwwais access 10597 1215 attempted-recon 2000-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"calendar"; fast_pattern; nocase; http_uri; pcre:"/calendar(|[-_]admin)\.pl/Ui"; metadata:service http; classtype:attempted-recon; 1455 WEB-CGI calendar.pl access attempted-recon 2000-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/calender_admin.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1456 WEB-CGI calender_admin.pl access 10506 1486 attempted-recon 2000-0627 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/user_update_admin.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1457 WEB-CGI user_update_admin.pl access 1486 attempted-recon 2000-0627 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/user_update_passwd.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1458 WEB-CGI user_update_passwd.pl access 142 attempted-recon 1999-1462 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-histlog.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1459 WEB-CGI bb-histlog.sh access 10025 142 attempted-recon 1999-1462 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-histsvc.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1460 WEB-CGI bb-histsvc.sh access 142 attempted-recon 1999-1462 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-rep.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1461 WEB-CGI bb-rep.sh access 142 attempted-recon 1999-1462 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-replog.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1462 WEB-CGI bb-replog.sh access 2367 web-application-activity 2001-0212 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/auktion.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1465 WEB-CGI auktion.cgi access 10638 1963 web-application-activity 2000-1171 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiforum.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1466 WEB-CGI cgiforum.pl access 10552 2793 web-application-activity 2001-0780 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/directorypro.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1467 WEB-CGI directorypro.cgi access 10679 1776 web-application-attack 2000-0922 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/shopper.cgi"; fast_pattern; nocase; http_uri; content:"newpage=../"; nocase; metadata:service http; classtype:web-application-attack; 1468 WEB-CGI Web Shopper shopper.cgi attempt 10533 1776 attempted-recon 2000-0922 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/shopper.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1469 WEB-CGI Web Shopper shopper.cgi access 3328 attempted-recon 2001-0997 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/listrec.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1470 WEB-CGI listrec.pl access 10769 2391 attempted-recon 2001-0271 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mailnews.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1471 WEB-CGI mailnews.cgi access 10641 3178 web-application-activity 2001-1114 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/book.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1472 WEB-CGI book.cgi access 10721 2172 attempted-recon 2001-0232 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/newsdesk.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1473 WEB-CGI newsdesk.cgi access 10586 2663 web-application-activity 2001-0463 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cal_make.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1474 WEB-CGI cal_make.pl access 10664 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mailit.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1475 WEB-CGI mailit.pl access 10417 1658 attempted-recon 2001-1130 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1476 WEB-CGI sdbsearch.cgi access 10720 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/swc"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1478 WEB-CGI swc access 10493 2890 web-application-attack 2001-0805 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1479 WEB-CGI ttawebtop.cgi arbitrary file attempt 10696 2890 attempted-recon 2001-0805 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ttawebtop.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1480 WEB-CGI ttawebtop.cgi access 10696 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/upload.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1481 WEB-CGI upload.cgi access 10290 2251 attempted-recon 1999-0174 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/view_source"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1482 WEB-CGI view_source access 10294 web-application-activity 2001-0466 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ustorekeeper.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1483 WEB-CGI ustorekeeper.pl access 10645 2385 web-application-attack 2001-0305 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase; http_uri; content:"../"; metadata:service http; classtype:web-application-attack; 1488 WEB-CGI store.cgi directory traversal attempt 10639 3175 web-application-attack 2001-1115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/generate.cgi"; http_uri; content:"content=../"; metadata:service http; classtype:web-application-attack; 1494 WEB-CGI SIX webboard generate.cgi attempt 10725 3175 web-application-activity 2001-1115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/generate.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1495 WEB-CGI SIX webboard generate.cgi access 10725 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/spin_client.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1496 WEB-CGI spin_client.cgi access 10393 2705 web-application-attack 2001-0561 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/a1disp3.cgi?/../../"; http_uri; metadata:service http; classtype:web-application-attack; 1501 WEB-CGI a1stats a1disp3.cgi directory traversal attempt 10669 2705 web-application-activity 2001-0561 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/a1disp3.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1502 WEB-CGI a1stats a1disp3.cgi access 10669 4152 web-application-activity 2002-0308 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admentor/admin/admin.asp"; http_uri; metadata:service http; classtype:web-application-activity; 1503 WEB-CGI admentor admin.asp access 10880 www.securiteam.com/windowsntfocus/5DP0N1F6AW.html 3599 web-application-activity 2001-0871 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/PRN/../../"; http_uri; metadata:service http; classtype:web-application-activity; 1505 WEB-CGI alchemy http server PRN arbitrary command execution attempt 10818 3599 web-application-activity 2001-0871 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/NUL/../../"; http_uri; metadata:service http; classtype:web-application-activity; 1506 WEB-CGI alchemy http server NUL arbitrary command execution attempt 10818 770 web-application-attack 1999-0885 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/alibaba.pl|7C|"; http_uri; metadata:service http; classtype:web-application-attack; 1507 WEB-CGI alibaba.pl arbitrary command execution attempt 10013 770 web-application-activity 1999-0885 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/alibaba.pl"; http_uri; metadata:service http; classtype:web-application-activity; 1508 WEB-CGI alibaba.pl access 10013 896 web-application-attack 2000-0039 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/query?mss=.."; http_uri; metadata:service http; classtype:web-application-attack; 1509 WEB-CGI AltaVista Intranet Search directory traversal attempt 10015 762 web-application-attack 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/test.bat|7C|"; http_uri; metadata:service http; classtype:web-application-attack; 1510 WEB-CGI test.bat arbitrary command execution attempt 10016 762 web-application-activity 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/test.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1511 WEB-CGI test.bat access 10016 762 web-application-attack 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/input.bat|7C|"; http_uri; metadata:service http; classtype:web-application-attack; 1512 WEB-CGI input.bat arbitrary command execution attempt 10016 762 web-application-activity 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/input.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1513 WEB-CGI input.bat access 10016 762 web-application-attack 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/input2.bat|7C|"; http_uri; metadata:service http; classtype:web-application-attack; 1514 WEB-CGI input2.bat arbitrary command execution attempt 10016 762 web-application-activity 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/input2.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1515 WEB-CGI input2.bat access 10016 762 web-application-attack 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/envout.bat|7C|"; http_uri; metadata:service http; classtype:web-application-attack; 1516 WEB-CGI envout.bat arbitrary command execution attempt 10016 762 web-application-activity 1999-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/envout.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1517 WEB-CGI envout.bat access 10016 142 web-application-attack 1999-1462 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-hist.sh?HISTFILE=../.."; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1531 WEB-CGI bb-hist.sh attempt 10025 1455 web-application-attack 2000-0638 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-hostsvc.sh?HOSTSVC?../.."; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1532 WEB-CGI bb-hostscv.sh attempt 10460 1455 web-application-activity 2000-0638 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-hostsvc.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1533 WEB-CGI bb-hostscv.sh access 10460 3976 web-application-attack 2002-0215 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/store/agora.cgi?cart_id=<SCRIPT>"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1534 WEB-CGI agora.cgi attempt 10836 1104 web-application-activity 2000-0287 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1535 WEB-CGI bizdbsearch access 10383 1215 web-application-attack 2000-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/calendar_admin.pl?config=|7C|"; http_uri; metadata:service http; classtype:web-application-attack; 1536 WEB-CGI calendar_admin.pl arbitrary command execution attempt 10506 1215 web-application-activity 2000-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/calendar_admin.pl"; http_uri; metadata:service http; classtype:web-application-activity; 1537 WEB-CGI calendar_admin.pl access 10506 936 web-application-activity 2000-0079 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/ls"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1539 WEB-CGI /cgi-bin/ls access 10037 1623 web-application-activity 2000-0726 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgimail"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1542 WEB-CGI cgimail access 11721 777 web-application-activity 2001-0987 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiwrap"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1543 WEB-CGI cgiwrap access 10041 4368 web-application-attack 2002-0495 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/csSearch.cgi"; http_uri; content:"setup="; content:"`"; content:"`"; distance:1; metadata:service http; classtype:web-application-attack; 1547 WEB-CGI csSearch.cgi arbitrary command execution attempt 10924 4368 web-application-activity 2002-0495 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/csSearch.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1548 WEB-CGI csSearch.cgi access 10924 1178 web-application-activity 2000-0381 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dbman/db.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1554 WEB-CGI dbman db.cgi access 10403 2889 web-application-activity 2001-0821 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dcshop"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1555 WEB-CGI DCShop access 2889 web-application-activity 2001-0821 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/orders/orders.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1556 WEB-CGI DCShop orders.txt access 2889 web-application-activity 2001-0821 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/auth_data/auth_user_file.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1557 WEB-CGI DCShop auth_user_file.txt access 3340 web-application-attack 2001-1014 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/eshop.pl?seite=|3B|"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1565 WEB-CGI eshop.pl arbitrary command execution attempt 3340 web-application-activity 2001-1014 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/eshop.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1566 WEB-CGI eshop.pl access 2109 web-application-attack 2000-1092 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/loadpage.cgi"; http_uri; content:"file=../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1569 WEB-CGI loadpage.cgi directory traversal attempt 10065 2109 web-application-activity 2000-1092 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/loadpage.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1570 WEB-CGI loadpage.cgi access 10065 2611 web-application-attack 2001-0437 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dcforum.cgi"; http_uri; content:"forum=../.."; metadata:service http; classtype:web-application-attack; 1571 WEB-CGI dcforum.cgi directory traversal attempt 10583 2361 attempted-recon 2001-0210 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/commerce.cgi"; http_uri; content:"page="; content:"/../"; nocase; metadata:service http; classtype:attempted-recon; 1572 WEB-CGI commerce.cgi arbitrary file access attempt 10612 1963 web-application-attack 2000-1171 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiforum.pl?thesection=../.."; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1573 WEB-CGI cgiforum.pl attempt 10552 2793 web-application-attack 2001-0780 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/directorypro.cgi"; http_uri; content:"show="; content:"../.."; distance:1; nocase; metadata:service http; classtype:web-application-attack; 1574 WEB-CGI directorypro.cgi attempt 10679 3885 web-application-activity 2002-0128 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgitest.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1587 WEB-MISC cgitest.exe access 11131 3810 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/faqmanager.cgi?toc="; http_uri; content:"|00|"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1590 WEB-CGI faqmanager.cgi arbitrary file access attempt 10837 attempted-admin 2008-3862 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"POST"; nocase; http_method; content:"/officescan/cgi/cgi"; nocase; http_uri; content:"multipart/form-data"; nocase; content:"|0A|--"; distance:0; isdataat:270; content:!"|0A|--"; within:270; metadata:service http; classtype:attempted-admin; 15908 WEB-MISC Trend Micro OfficeScan multiple CGI modules HTTP form processing buffer overflow attempt 3810 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/faqmanager.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1591 WEB-CGI faqmanager.cgi access 10837 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fcgi-bin/echo.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1592 WEB-CGI /fcgi-bin/echo.exe access 10838 799 web-application-attack 1999-1050 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/FormHandler.cgi"; fast_pattern; nocase; http_uri; content:"redirect=http"; metadata:service http; classtype:web-application-attack; 1593 WEB-CGI FormHandler.cgi external site redirection attempt 10075 799 web-application-activity 1999-1050 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/FormHandler.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1594 WEB-CGI FormHandler.cgi access 10075 web-application-activity 1999-0237 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/guestbook.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1597 WEB-CGI guestbook.cgi access 10098 921 web-application-attack 2000-0054 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.cgi"; http_uri; content:"letter=../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1598 WEB-CGI Home Free search.cgi directory traversal attempt 10101 921 web-application-activity 2000-0054 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1599 WEB-CGI search.cgi access 3410 web-application-attack 2001-0834 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htsearch?-c"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1600 WEB-CGI htsearch arbitrary configuration file attempt 1026 web-application-attack 2000-0208 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htsearch?exclude=`"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1601 WEB-CGI htsearch arbitrary file read attempt 10105 1026 web-application-activity 2000-0208 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htsearch"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1602 WEB-CGI htsearch access 10105 web-application-activity 1999-1069 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/icat"; http_uri; metadata:service http; classtype:web-application-activity; 1606 WEB-CGI icat access 2314 web-application-activity 2001-0253 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/hsx.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1607 WEB-CGI HyperSeek hsx.cgi access 10602 2001 web-application-attack 1999-0264 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htmlscript?../.."; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1608 WEB-CGI htmlscript attempt 10106 1774 web-application-activity 2000-1005 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/web_store.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1611 WEB-CGI eXtropia webstore access 10532 3800 web-application-activity 2002-0011 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/doeditvotes.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1617 WEB-CGI Bugzilla doeditvotes.cgi access 799 web-application-attack 1999-1050 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/FormHandler.cgi"; nocase; http_uri; content:"reply_message_attach="; fast_pattern:only; content:"/../"; metadata:service http; classtype:web-application-attack; 1628 WEB-CGI FormHandler.cgi directory traversal attempt attempt 10075 1668 attempted-recon 2000-0853 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/YaBB"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1637 WEB-CGI yabb access 10512 2017 web-application-activity 2000-1110 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/document.d2w"; http_uri; metadata:service http; classtype:web-application-activity; 1642 WEB-CGI document.d2w access web-application-activity 2000-0677 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/db2www"; http_uri; metadata:service http; classtype:web-application-activity; 1643 WEB-CGI db2www access 2003 web-application-attack 1999-0070 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/test-cgi/*?*"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1644 WEB-CGI test-cgi attempt 10282 7214 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/testcgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1645 WEB-CGI testcgi access 11610 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/test.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1646 WEB-CGI test.cgi access attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/perl.exe?"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1648 WEB-CGI perl.exe command attempt 10173 www.cert.org/advisories/CA-1996-11.html attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/perl?"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1649 WEB-CGI perl command attempt 10173 www.cert.org/advisories/CA-1996-11.html 770 web-application-activity 1999-0885 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/tst.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1650 WEB-CGI tst.bat access 10014 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/environ.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1651 WEB-CGI environ.pl access 1975 web-application-attack 1999-0146 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/campas?|0A|"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1652 WEB-CGI campas attempt 10035 1153 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cart32.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1654 WEB-CGI cart32.exe access 10389 web-application-attack 1999-0270 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pfdispaly.cgi?'"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1655 WEB-CGI pfdispaly.cgi arbitrary command execution attempt 10174 64 web-application-activity 1999-0270 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pfdispaly.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1656 WEB-CGI pfdispaly.cgi access 10174 1864 web-application-activity 2000-0940 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pagelog.cgi"; nocase; http_uri; content:"name=../"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 1657 WEB-CGI pagelog.cgi directory traversal attempt 10591 1864 web-application-activity 2000-0940 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pagelog.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1658 WEB-CGI pagelog.cgi access 10591 bad-unknown tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any flow:from_server,established; content:"Index of /cgi-bin/"; nocase; classtype:bad-unknown; 1666 ATTACK-RESPONSES index of /cgi-bin/ response 10039 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"/cgi-bin/ HTTP"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1668 WEB-CGI /cgi-bin/ access web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgi-dos/"; http_uri; content:"/cgi-dos/ HTTP"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1669 WEB-CGI /cgi-dos/ access trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/rd.cgi?f=/vercfg.dat?AgentID="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16922 BLACKLIST URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= labs.snort.org/docs/16922.html 739 web-application-activity 1999-0951 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/imagemap.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1700 WEB-CGI imagemap.exe access 10122 1215 web-application-activity 2000-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/calendar-admin.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1701 WEB-CGI calendar-admin.pl access 10506 2504 web-application-activity 2001-0272 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sendtemp.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1702 WEB-CGI Amaya templates sendtemp.pl access 2367 web-application-attack 2001-0212 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/auktion.cgi"; fast_pattern; nocase; http_uri; content:"menue=../../"; nocase; metadata:service http; classtype:web-application-attack; 1703 WEB-CGI auktion.cgi directory traversal attempt 10638 2663 web-application-attack 2001-0463 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cal_make.pl"; nocase; http_uri; content:"p0=../../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1704 WEB-CGI cal_make.pl directory traversal attempt 10664 1002 web-application-attack 2000-0213 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/echo.bat"; http_uri; content:"&"; metadata:service http; classtype:web-application-attack; 1705 WEB-CGI echo.bat arbitrary command execution attempt 10246 1002 web-application-activity 2000-0213 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/echo.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1706 WEB-CGI echo.bat access 10246 1002 web-application-attack 2000-0213 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/hello.bat"; http_uri; content:"&"; metadata:service http; classtype:web-application-attack; 1707 WEB-CGI hello.bat arbitrary command execution attempt 10246 1002 web-application-activity 2000-0213 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/hello.bat"; http_uri; metadata:service http; classtype:web-application-activity; 1708 WEB-CGI hello.bat access 10246 2103 web-application-activity 2001-0025 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ad.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1709 WEB-CGI ad.cgi access 11464 2177 web-application-activity 2001-0123 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bbs_forum.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1710 WEB-CGI bbs_forum.cgi access www.cgisecurity.com/advisory/3.1.txt 2159 web-application-activity 2001-0099 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bsguest.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1711 WEB-CGI bsguest.cgi access 2160 web-application-activity 2001-0100 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bslist.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1712 WEB-CGI bslist.cgi access 1951 web-application-activity 2000-1132 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgforum.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1713 WEB-CGI cgforum.cgi access web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/newdesk"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1714 WEB-CGI newdesk access 2157 web-application-activity 2001-0076 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/register.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1715 WEB-CGI register.cgi access 1940 web-application-activity 2000-1131 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/gbook.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1716 WEB-CGI gbook.cgi access 2106 web-application-activity 2001-0022 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/simplestguest.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1717 WEB-CGI simplestguest.cgi access 2211 web-application-activity 2001-0113 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/statsconfig.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1718 WEB-CGI statsconfig.pl access 2547 web-application-attack 2001-0420 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/talkbalk.cgi"; nocase; http_uri; content:"article=../../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1719 WEB-CGI talkback.cgi directory traversal attempt 2547 web-application-activity 2001-0420 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/talkbalk.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1720 WEB-CGI talkback.cgi access web-application-activity 1999-1067 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/MachineInfo"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1722 WEB-CGI MachineInfo access 5824 web-application-activity 2002-1526 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/emumail.cgi"; http_uri; content:"type="; nocase; content:"%00"; metadata:service http; classtype:web-application-activity; 1723 WEB-CGI emumail.cgi NULL attempt 5824 web-application-activity 2002-1526 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/emumail.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1724 WEB-CGI emumail.cgi access 1031 web-application-activity 2000-0207 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/infosrch.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1727 WEB-CGI SGI InfoSearch fname access 2536 web-application-attack 2001-0466 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ustorekeeper.pl"; nocase; http_uri; content:"file=../../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1730 WEB-CGI ustorekeeper.pl directory traversal attempt 10645 2705 web-application-activity 2001-0561 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/a1stats/"; http_uri; metadata:service http; classtype:web-application-activity; 1731 WEB-CGI a1stats access 10669 629 web-application-attack 1999-0067 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/phf"; fast_pattern; nocase; http_uri; content:"QALIAS"; nocase; content:"%0a"; metadata:service http; classtype:web-application-attack; 1762 WEB-CGI phf arbitrary command execution attempt 938 web-application-attack 2000-0064 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiproc?Nocfile="; http_uri; metadata:service http; classtype:web-application-attack; 1763 WEB-CGI Nortel Contivity cgiproc DOS attempt 10160 938 web-application-attack 2000-0064 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiproc?|24|"; http_uri; metadata:service http; classtype:web-application-attack; 1764 WEB-CGI Nortel Contivity cgiproc DOS attempt 10160 938 web-application-activity 2000-0064 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiproc"; http_uri; metadata:service http; classtype:web-application-activity; 1765 WEB-CGI Nortel Contivity cgiproc access 10160 4889 web-application-activity 2002-0918 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/csPassword.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1787 WEB-CGI csPassword.cgi access 4889 web-application-activity 2002-0920 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/password.cgi.tmp"; http_uri; metadata:service http; classtype:web-application-activity; 1788 WEB-CGI csPassword password.cgi.tmp access 4848 web-application-activity 2002-0947 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rwcgi60"; http_uri; content:"setauth="; metadata:service http; classtype:web-application-activity; 1805 WEB-CGI Oracle reports CGI access 4983 web-application-attack 2002-0934 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/alienform.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:service http; classtype:web-application-attack; 1822 WEB-CGI alienform.cgi directory traversal attempt 11027 4983 web-application-attack 2002-0934 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/af.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:service http; classtype:web-application-attack; 1823 WEB-CGI AlienForm af.cgi directory traversal attempt 11027 4983 web-application-activity 2002-0934 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/alienform.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1824 WEB-CGI alienform.cgi access 11027 4983 web-application-activity 2002-0934 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/af.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1825 WEB-CGI AlienForm af.cgi access 11027 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/way-board.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1850 WEB-CGI way-board.cgi access 10610 4017 web-application-attack 2002-0232 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mrtg.cgi"; http_uri; content:"cfg=/../"; metadata:service http; classtype:web-application-attack; 1862 WEB-CGI mrtg.cgi directory traversal attempt 11001 374 web-application-attack 1999-0039 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webdist.cgi"; nocase; http_uri; content:"distloc=|3B|"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1865 WEB-CGI webdist.cgi arbitrary command attempt 10299 3028 default-login-attempt 2001-0804 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; metadata:service http; classtype:default-login-attempt; 1868 WEB-CGI story.pl arbitrary file read attempt 10817 3028 default-login-attempt 2001-0804 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"/story.pl"; http_uri; metadata:service http; classtype:default-login-attempt; 1869 WEB-CGI story.pl access 10817 951 web-application-activity 2000-0117 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/.cobalt/siteUserMod/siteUserMod.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1870 WEB-CGI siteUserMod.cgi access 10253 6141 web-application-activity 2002-1652 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgicso"; http_uri; metadata:service http; classtype:web-application-activity; 1875 WEB-CGI cgicso access 10780 web-application-activity 1999-1177 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nph-publish.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1876 WEB-CGI nph-publish.cgi access 10164 1658 web-application-activity 2000-0868 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/printenv"; http_uri; metadata:service http; classtype:web-application-activity; 1877 WEB-CGI printenv access 10503 1658 web-application-activity 2000-0868 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sdbsearch.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1878 WEB-CGI sdbsearch.cgi access 10503 3178 web-application-attack 2001-1114 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/book.cgi"; fast_pattern; nocase; http_uri; content:"current=|7C|"; nocase; metadata:service http; classtype:web-application-attack; 1879 WEB-CGI book.cgi arbitrary command execution attempt 10721 web-application-activity 1999-1278 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rpc-nlog.pl"; http_uri; metadata:service http; classtype:web-application-activity; 1931 WEB-CGI rpc-nlog.pl access marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 web-application-activity 1999-1278 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rpc-smb.pl"; http_uri; metadata:service http; classtype:web-application-activity; 1932 WEB-CGI rpc-smb.pl access 1115 web-application-activity 2000-0252 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cart.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1933 WEB-CGI cart.cgi access 10368 6038 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/vpasswd.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1994 WEB-CGI vpasswd.cgi access 11165 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/alya.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1995 WEB-CGI alya.cgi access 11118 3495 web-application-activity 2001-0849 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/viralator.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 1996 WEB-CGI viralator.cgi access 11107 7133 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/smartsearch.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 2001 WEB-CGI smartsearch.cgi access 1762 web-application-activity 2000-0906 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cached_feed.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 2051 WEB-CGI cached_feed.cgi moreover shopping cart access 6326 web-application-activity 2002-1361 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/overflow.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 2052 WEB-CGI overflow.cgi access 11190 www.cert.org/advisories/CA-2002-35.html 3272 web-application-activity 2002-0008 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/process_bug.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2053 WEB-CGI process_bug.cgi access 3272 web-application-attack 2002-0008 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern; nocase; http_uri; content:"who="; content:"|3B|"; distance:0; metadata:service http; classtype:web-application-attack; 2054 WEB-CGI enter_bug.cgi arbitrary command attempt 3272 web-application-activity 2002-0008 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2055 WEB-CGI enter_bug.cgi access 6960 web-application-activity 2003-0054 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2085 WEB-CGI parse_xml.cgi access 6960 web-application-activity 2003-0054 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 2086 WEB-CGI streaming server parse_xml.cgi access 11278 7444 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/album.pl"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 2115 WEB-CGI album.pl access 11581 2767 web-application-activity 2001-1341 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/chipcfg.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2116 WEB-CGI chipcfg.cgi access archives.neohapsis.com/archives/bugtraq/2001-05/0233.html 7361 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ikonboard.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2127 WEB-CGI ikonboard.cgi access 11605 7510 web-application-activity 2003-0217 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/swsrv.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2128 WEB-CGI swsrv.cgi access 11608 6265 web-application-activity 2002-0749 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/CSMailto.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2194 WEB-CGI CSMailto.cgi access 11748 4579 web-application-activity 2002-0346 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/alert.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2195 WEB-CGI alert.cgi access 11748 4579 web-application-activity 2001-1212 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/alert.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2196 WEB-CGI catgy.cgi access 11748 5517 web-application-activity 2003-0153 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cvsview2.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2197 WEB-CGI cvsview2.cgi access 11748 5517 web-application-activity 2003-0153 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cvslog.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2198 WEB-CGI cvslog.cgi access 11748 5517 web-application-activity 2003-0153 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/multidiff.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2199 WEB-CGI multidiff.cgi access 11748 4579 web-application-activity 2000-0423 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dnewsweb.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2200 WEB-CGI dnewsweb.cgi access 11748 4579 web-application-activity 2001-1196 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/edit_action.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2202 WEB-CGI edit_action.cgi access 11748 4579 web-application-activity 2001-0023 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/everythingform.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2203 WEB-CGI everythingform.cgi access 11748 4579 web-application-activity 2002-0263 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ezadmin.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2204 WEB-CGI ezadmin.cgi access 11748 4579 web-application-activity 2002-0263 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ezboard.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2205 WEB-CGI ezboard.cgi access 11748 4579 web-application-activity 2002-0263 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ezman.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2206 WEB-CGI ezman.cgi access 11748 6784 web-application-activity 2002-0611 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fileseek.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2207 WEB-CGI fileseek.cgi access 11748 4579 web-application-activity 2002-0230 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/fom.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2208 WEB-CGI fom.cgi access 11748 4579 web-application-activity 2000-0288 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/getdoc.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2209 WEB-CGI getdoc.cgi access 11748 4579 web-application-activity 2000-0952 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/global.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2210 WEB-CGI global.cgi access 11748 4579 web-application-activity 2001-0180 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/guestserver.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2211 WEB-CGI guestserver.cgi access 11748 6265 web-application-activity 2002-1334 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/imageFolio.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2212 WEB-CGI imageFolio.cgi access 11748 4579 web-application-activity 2000-0977 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mailfile.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2213 WEB-CGI mailfile.cgi access 11748 4579 web-application-activity 2000-0526 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mailview.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2214 WEB-CGI mailview.cgi access 11748 4579 web-application-activity 2000-1023 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nsManager.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2215 WEB-CGI nsManager.cgi access 11748 4579 web-application-activity 2001-1283 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/readmail.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2216 WEB-CGI readmail.cgi access 11748 4579 web-application-activity 2001-1283 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/printmail.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2217 WEB-CGI printmail.cgi access 11748 4579 web-application-activity 2002-0346 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/service.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2218 WEB-CGI service.cgi access 11748 4579 web-application-activity 2001-0133 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/setpasswd.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2219 WEB-CGI setpasswd.cgi access 11748 4579 web-application-activity 2001-0022 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/simplestmail.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2220 WEB-CGI simplestmail.cgi access 11748 4579 web-application-activity 2001-1343 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ws_mail.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2221 WEB-CGI ws_mail.cgi access 11748 7913 web-application-activity 2003-0434 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nph-exploitscanget.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2222 WEB-CGI nph-exploitscanget.cgi access 11740 4994 web-application-activity 2002-0923 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/csNews.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2223 WEB-CGI csNews.cgi access 11726 6607 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/psunami.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2224 WEB-CGI psunami.cgi access 11750 6086 web-application-activity 2002-1236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/gozila.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2225 WEB-CGI gozila.cgi access 11773 3216 web-application-activity 2001-1150 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgiWebupdate.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2237 WEB-MISC cgiWebupdate.exe access 11722 1657 web-application-activity 2000-0826 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ddicgi.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2242 WEB-MISC ddicgi.exe access 11728 3583 web-application-activity 2001-0922 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ndcgi.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2243 WEB-MISC ndcgi.exe access 11730 9038 web-application-activity 2003-0627 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/psdoccgi"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2277 WEB-MISC PeopleSoft PeopleBooks psdoccgi access 9282 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/quickstore.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2323 WEB-CGI quickstore.cgi access 11975 8257 web-application-activity 2003-0422 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/view_broadcast.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2387 WEB-CGI view_broadcast.cgi access 8257 web-application-activity 2003-0422 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 flow:to_server,established; content:"/view_broadcast.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2388 WEB-CGI streaming server view_broadcast.cgi access 8095 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/whereami.cgi?g="; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 2396 WEB-CGI CCBill whereami.cgi arbitrary command execution attempt secunia.com/advisories/9191/ 8095 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/whereami.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2397 WEB-CGI CCBill whereami.cgi access secunia.com/advisories/9191/ 9317 web-application-attack 2003-1200 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; metadata:service http; classtype:web-application-attack; 2433 WEB-CGI MDaemon form2raw.cgi overflow attempt secunia.com/advisories/10512/ 9317 web-application-activity 2003-1200 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 2434 WEB-CGI MDaemon form2raw.cgi access secunia.com/advisories/10512/ 9861 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/init.emu"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2567 WEB-CGI Emumail init.emu access 12095 9861 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/emumail.fcgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2568 WEB-CGI Emumail emumail.fcgi access 12095 11043 web-application-attack 2004-0798 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern; nocase; http_uri; content:"instancename="; nocase; http_uri; isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]{513}/Usmi"; metadata:service http; classtype:web-application-attack; 2663 WEB-CGI WhatsUpGold instancename overflow attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/processit.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2668 WEB-CGI processit access 10649 3476 web-application-activity 2001-0839 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ibillpm.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 2669 WEB-CGI ibillpm.pl access 11083 3605 web-application-activity 2001-0937 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pgpmail.pl"; http_uri; metadata:service http; classtype:web-application-activity; 2670 WEB-CGI pgpmail.pl access 11070 9791 web-application-activity 2004-0347 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/delhomepage.cgi"; http_uri; metadata:service http; classtype:web-application-activity; 3062 WEB-CGI NetScreen SA 5000 delhomepage.cgi access web-application-attack 2005-0202 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mailman/"; http_uri; content:".../"; http_uri; metadata:service http; classtype:web-application-attack; 3131 WEB-CGI mailman directory traversal attempt 12572 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/awstats.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 3463 WEB-CGI awstats access 16456 12572 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"update="; http_uri; pcre:"/update=[^\r\n\x26]+/Ui"; content:"logfile="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; metadata:service http; classtype:web-application-attack; 3464 WEB-CGI awstats.pl command execution attempt 16456 10812 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/show.pl"; fast_pattern; nocase; http_uri; content:"url="; nocase; metadata:service http; classtype:web-application-activity; 3465 WEB-CGI RiSearch show.pl proxy attempt 10831 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/math_sum.mscgi"; http_uri; metadata:service http; classtype:web-application-activity; 3468 WEB-CGI math_sum.mscgi access 14182 11110 attempted-dos 2004-0799 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/prn"; fast_pattern; nocase; http_uri; pcre:"/\/prn\.(asp|cgi|html?)/Ui"; metadata:service http; classtype:attempted-dos; 3469 WEB-CGI Ipswitch WhatsUp Gold dos attempt www.secunia.com/advisories/12578/ 10926 web-application-attack 2004-2221 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/SoftCart.exe"; fast_pattern; nocase; http_uri; pcre:"/\/SoftCart.exe\?[^\s]{100}/smi"; metadata:service http; classtype:web-application-attack; 3638 WEB-CGI SoftCart.exe CGI buffer overflow attempt 5723 web-application-attack 2002-1483 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/db4web_c"; fast_pattern; nocase; http_uri; pcre:"/db4web_c(\.exe)?\/.*(\.\.[\\|\/]|[a-z]\:)/smiU"; metadata:service http; classtype:web-application-attack; 3674 WEB-CGI db4web_c directory traversal attempt 11182 12298 attempted-user 2005-0116 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"configdir="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*configdir=\x7C/Ui"; metadata:service http; classtype:attempted-user; 3813 WEB-CGI awstats.pl configdir command execution attempt 16189 10721 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ShellExample.cgi"; fast_pattern; nocase; http_uri; pcre:"/ShellExample.cgi\?[^\n\r\&]*\x2a/Ui"; metadata:service http; classtype:attempted-recon; 4128 WEB-CGI 4DWebstar ShellExample.cgi information disclosure www.atstake.com/research/advisories/2004/a071304-1.txt 2314 web-application-attack 2001-0253 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/hsx.cgi"; http_uri; content:"../../"; content:"%00"; distance:1; metadata:service http; classtype:web-application-attack; 803 WEB-CGI HyperSeek hsx.cgi directory traversal attempt 10602 2492 web-application-attack 2001-0476 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/s.cgi"; fast_pattern; nocase; http_uri; content:"tmpl="; metadata:service http; classtype:web-application-attack; 804 WEB-CGI SWSoft ASPSeek Overflow attempt 969 attempted-user 2000-0127 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wsisa.dll/WService="; fast_pattern; nocase; http_uri; content:"WSMadmin"; nocase; metadata:service http; classtype:attempted-user; 805 WEB-CGI webspeed access 10304 1668 attempted-recon 2000-0853 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/YaBB"; fast_pattern; nocase; http_uri; content:"../"; metadata:service http; classtype:attempted-recon; 806 WEB-CGI yabb directory traversal attempt 10512 649 attempted-recon 1999-0954 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wwwboard/passwd.txt"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 807 WEB-CGI /wwwboard/passwd.txt access 10321 2166 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webdriver"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 808 WEB-CGI webdriver access 10592 10878 web-application-activity 2004-1456 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"filediff"; fast_pattern; nocase; http_uri; content:"f="; nocase; metadata:service http; classtype:web-application-activity; 8084 WEB-CGI CVSTrac filediff function access 14238 www.kb.cert.org/vuls/id/770816 304 web-application-attack 1999-1063 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:service http; classtype:web-application-attack; 809 WEB-CGI whois_raw.cgi arbitrary command execution attempt 10306 304 attempted-recon 1999-1063 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/whois_raw.cgi"; http_uri; metadata:service http; classtype:attempted-recon; 810 WEB-CGI whois_raw.cgi access 10306 932 attempted-recon 2000-0066 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:" /HTTP/1."; fast_pattern:only; metadata:service http; classtype:attempted-recon; 811 WEB-CGI websitepro path access 10303 1102 attempted-recon 2000-0282 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webplus?about"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 812 WEB-CGI webplus version access 1102 web-application-attack 2000-0282 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webplus?script"; fast_pattern; nocase; http_uri; content:"../"; metadata:service http; classtype:web-application-attack; 813 WEB-CGI webplus directory traversal 10367 2077 attempted-recon 1999-0196 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/websendmail"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 815 WEB-CGI websendmail access 10301 2728 web-application-attack 2001-0527 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dcboard.cgi"; http_uri; content:"command=register"; content:"%7cadmin"; metadata:service http; classtype:web-application-attack; 817 WEB-CGI dcboard.cgi invalid user addition attempt 10583 2728 attempted-recon 2001-0527 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dcforum.cgi"; http_uri; metadata:service http; classtype:attempted-recon; 818 WEB-CGI dcforum.cgi access 10583 2063 attempted-recon 2001-0021 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mmstdod.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 819 WEB-CGI mmstdod.cgi access 10566 2388 web-application-attack 2001-0308 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/apexec.pl"; http_uri; content:"template=../"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 820 WEB-CGI anaconda directory transversal attempt 10536 739 web-application-attack 1999-0951 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/imagemap.exe?"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-attack; 821 WEB-CGI imagemap.exe overflow attempt 10122 1469 attempted-recon 2000-0670 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cvsweb.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 823 WEB-CGI cvsweb.cgi access 10465 2026 attempted-recon 1999-0147 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/glimpse"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 825 WEB-CGI glimpse access 10095 2001 attempted-recon 1999-0264 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htmlscript"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 826 WEB-CGI htmlscript access 10106 1995 attempted-recon 1999-0266 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/info2www"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 827 WEB-CGI info2www access 10127 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/maillist.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 828 WEB-CGI maillist.pl access 686 attempted-recon 1999-0045 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nph-test-cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 829 WEB-CGI nph-test-cgi access 10165 attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/perl.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 832 WEB-CGI perl.exe access 10173 www.cert.org/advisories/CA-1996-11.html 2024 attempted-recon 1999-0287 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rguest.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 833 WEB-CGI rguest.exe access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rwwwshell.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 834 WEB-CGI rwwwshell.pl access www.itsecurity.com/papers/p37.htm 2003 attempted-recon 1999-0070 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/test-cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 835 WEB-CGI test-cgi access 10282 2265 attempted-recon 1999-1479 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/textcounter.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 836 WEB-CGI textcounter.pl access 11451 1611 attempted-recon 2000-0769 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/uploader.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 837 WEB-CGI uploader.exe access 10291 2058 attempted-recon 1999-0176 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webgais"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 838 WEB-CGI webgais access 10300 attempted-recon 1999-0612 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/finger"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 839 WEB-CGI finger access 10071 attempted-recon 1999-1374 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/perlshop.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 840 WEB-CGI perlshop.cgi access 2026 attempted-recon 1999-0147 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/aglimpse"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 842 WEB-CGI aglimpse access 10095 719 attempted-recon 1999-0066 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/AnForm2"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 843 WEB-CGI anform2 access attempted-recon 1999-1180 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/args.bat"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 844 WEB-CGI args.bat access 11465 attempted-recon 1999-1072 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/AT-admin.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 845 WEB-CGI AT-admin.cgi access 2147 attempted-recon 1999-0937 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bnbform.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 846 WEB-CGI bnbform.cgi access 1975 attempted-recon 1999-0146 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/campas"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 847 WEB-CGI campas access 10035 8883 web-application-attack 1999-0174 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/view-source"; fast_pattern; nocase; http_uri; content:"../"; nocase; metadata:service http; classtype:web-application-attack; 848 WEB-CGI view-source directory traversal 8883 attempted-recon 1999-0174 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/view-source"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 849 WEB-CGI view-source access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wais.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 850 WEB-CGI wais.pl access attempted-recon 1999-1081 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/files.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 851 WEB-CGI files.pl access 2024 attempted-recon 1999-0467 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wguest.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 852 WEB-CGI wguest.exe access 2020 attempted-recon 1999-0934 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/classifieds.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 854 WEB-CGI classifieds.cgi access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/environ.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 856 WEB-CGI environ.cgi access 2056 web-application-activity 1999-0262 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/faxsurvey"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 857 WEB-CGI faxsurvey access 10067 attempted-recon 1999-1154 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/filemail.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 858 WEB-CGI filemail access 2276 attempted-recon 1999-1179 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/man.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 859 WEB-CGI man.sh access 2023 attempted-recon 1999-0233 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/snork.bat"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 860 WEB-CGI snork.bat access 898 attempted-recon 2000-0012 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/w3-msql/"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 861 WEB-CGI w3-msql access 10296 attempted-recon 1999-1232 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/day5datacopier.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 863 WEB-CGI day5datacopier.cgi access attempted-recon 1999-1232 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/day5datanotifier.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 864 WEB-CGI day5datanotifier.cgi access attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ksh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 865 WEB-CGI ksh access www.cert.org/advisories/CA-1996-11.html 6752 attempted-recon 2001-0291 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/post-query"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 866 WEB-CGI post-query access 1808 attempted-recon 1999-0970 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/visadmin.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 867 WEB-CGI visadmin.exe access 10295 attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rsh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 868 WEB-CGI rsh access www.cert.org/advisories/CA-1996-11.html attempted-recon 1999-1178 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dumpenv.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 869 WEB-CGI dumpenv.pl access 10060 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/snorkerz.cmd"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 870 WEB-CGI snorkerz.cmd access 1817 attempted-recon 1999-0936 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/survey.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 871 WEB-CGI survey.cgi access attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/tcsh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 872 WEB-CGI tcsh access www.cert.org/advisories/CA-1996-11.html 2078 attempted-recon 1999-0178 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/win-c-sample.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 875 WEB-CGI win-c-sample.exe access 10008 attempted-recon 1999-0509 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rksh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 877 WEB-CGI rksh access www.cert.org/advisories/CA-1996-11.html attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/w3tvars.pm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 878 WEB-CGI w3tvars.pm access 3839 attempted-recon 2002-1748 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 879 WEB-CGI admin.pl access online.securityfocus.com/archive/1/249355 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/LWGate"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 880 WEB-CGI LWGate access www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/archie"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 881 WEB-CGI archie access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/flexform"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 883 WEB-CGI flexform access www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/www-sql"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 887 WEB-CGI www-sql access marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wwwadmin.pl"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 888 WEB-CGI wwwadmin.pl access 491 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ppdscgi.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 889 WEB-CGI ppdscgi.exe access 10187 online.securityfocus.com/archive/1/16878 5286 attempted-recon 2002-0710 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sendform.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 890 WEB-CGI sendform.cgi access www.scn.org/help/sendform.txt 719 attempted-recon 1999-0066 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/AnyForm2"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 892 WEB-CGI AnyForm2 access 10277 142 attempted-recon 1999-1462 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-hist.sh"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 894 WEB-CGI bb-hist.sh access 10025 2370 web-application-activity 2001-0214 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/way-board"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 896 WEB-CGI way-board access 10610 2372 attempted-recon 2001-0217 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/pals-cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 897 WEB-CGI pals-cgi access 10611 2361 attempted-recon 2001-0210 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/commerce.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 898 WEB-CGI commerce.cgi access 10612 2504 web-application-attack 2001-0272 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sendtemp.pl"; fast_pattern; nocase; http_uri; content:"templ="; nocase; metadata:service http; classtype:web-application-attack; 899 WEB-CGI Amaya templates sendtemp.pl directory traversal attempt 10614 2362 web-application-attack 2001-0211 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; content:"../../"; nocase; metadata:service http; classtype:web-application-attack; 900 WEB-CGI webspirs.cgi directory traversal attempt 10616 2362 attempted-recon 2001-0211 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 901 WEB-CGI webspirs.cgi access 10616 2381 attempted-recon 2001-0302 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"tstisapi.dll"; fast_pattern; nocase; http_uri; metadata:service http; classtype:attempted-recon; 902 WEB-CGI tstisapi.dll access 220 Server / Mail 23808 attempted-dos 2007-0039 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"content-classescalendarmessage"; fast_pattern:only; pcre:"/^X-MICROSOFT-CDO-MODPROPS\x3A[^\n]*(?P<prop>\w+),[^\n]*(?=prop)/Bmi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-dos; 11222 SMTP Exchange MODPROPS denial of service attempt www.microsoft.com/technet/security/Bulletin/MS07-026.mspx 17908 attempted-admin 2006-0027 tcp $EXTERNAL_NET any -> $HOME_NET [25,143] flow:established,to_server; content:"DESCRIPTION|3A|"; nocase; isdataat:268,relative; content:!"|0A|"; within:256; pcre:"/^DESCRIPTION\x3A[^\n]{268}/smi"; metadata:policy security-ips alert, service smtp; classtype:attempted-admin; 12619 EXPLOIT Microsoft Exchange ical/vcal malformed property www.microsoft.com/technet/security/bulletin/ms06-019.mspx attempted-admin 2009-0098 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15301, service smtp, policy security-ips drop; 15301 SMTP Exchange compressed RTF remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-003.mspx attempted-dos 2009-0099 udp $EXTERNAL_NET any -> $HOME_NET 1024: gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|15302, policy security-ips drop; 15302 DOS Microsoft Exchange System Attendant denial of service attempt www.microsoft.com/technet/security/bulletin/MS09-003.mspx 17908 attempted-admin 2006-0027 tcp $EXTERNAL_NET any <> $HOME_NET 25 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15329, service smtp, policy balanced-ips drop, policy security-ips drop; 15329 SMTP Microsoft Exchange MODPROPS memory corruption attempt www.microsoft.com/technet/security/bulletin/ms06-019.mspx 10902 misc-attack 2004-0203 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"exchange/calendar/pick.asp?view=ppp%22></applet><script>alert|28|%22hi,%20this%20is%20javascript%20here%22|29|</script>|22|>click this</a>"; metadata:policy security-ips drop, service http; classtype:misc-attack; 15964 SPECIFIC-THREATS Microsoft Exchange OWA XSS and spoofing attempt 16197 attempted-admin 2006-0002 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:established,to_server; content:"application/ms-tnef"; nocase; content:"AwMDAwMDQBdXNlckBleGFtcGxlLmNvbQE"; content:"I18jIA+zM2AegCpAPjA"; distance:0; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 17481 SPECIFIC-THREATS Microsoft Exchange and Outlook TNEF Decoding Integer Overflow attempt successful-recon-limited tcp $HOME_NET 868 <> $EXTERNAL_NET any flow:established; content:"chkLis"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve1; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7165 SPYWARE-PUT Keylogger ab system spy runtime detection - information exchange - flowbit set 1 www.spywareguide.com/product_show.php?id=591 successful-recon-limited tcp $HOME_NET 868 <> $EXTERNAL_NET any flow:established; flowbits:isset,ABSystemSpy_Inforetrieve1; content:"chkShe"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve2; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7166 SPYWARE-PUT Keylogger ab system spy runtime detection - information exchange - flowbit set 2 www.spywareguide.com/product_show.php?id=591 successful-recon-limited tcp $HOME_NET 868 <> $EXTERNAL_NET any flow:established; flowbits:isset,ABSystemSpy_Inforetrieve2; content:"chkCli"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve3; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7167 SPYWARE-PUT Keylogger ab system spy runtime detection - information exchange - flowbit set 3 www.spywareguide.com/product_show.php?id=591 successful-recon-limited tcp $HOME_NET 868 <> $EXTERNAL_NET any flow:established; flowbits:isset,ABSystemSpy_Inforetrieve3; content:"chkCap"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve4; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7168 SPYWARE-PUT Keylogger ab system spy runtime detection - information exchange - flowbit set 4 www.spywareguide.com/product_show.php?id=591 successful-recon-limited tcp $HOME_NET 868 <> $EXTERNAL_NET any flow:established; flowbits:isset,ABSystemSpy_Inforetrieve4; content:"chkCtr"; depth:6; metadata:policy security-ips alert; classtype:successful-recon-limited; 7169 SPYWARE-PUT Keylogger ab system spy runtime detection - information exchange www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050 221 Server / Mail / Microsoft Exchange 6407 attempted-user 2002-1359 tcp $EXTERNAL_NET 22 -> $HOME_NET any flow:to_client,established,no_stream; content:"SSH-"; depth:4; isdataat:1000,relative; pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s"; classtype:attempted-user; 10010 EXPLOIT Putty Server key exchange buffer overflow attempt www.rapid7.com/advisories/R7-0009.html 23808 attempted-dos 2007-0039 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Type|3A| text/calendar"; nocase; pcre:"/BEGIN\x3AVEVENT\x0D\x0A.*X-MICROSOFT-CDO-MODPROPS\x3A[^\n]*X-MICROSOFT-CDO-MODPROPS.+X-MICROSOFT-CDO-MODPROPS\x3A.+END\x3AVEVENT/smi"; metadata:service smtp; classtype:attempted-dos; 14742 SPECIFIC-THREATS Exchange MODPROPS denial of service PoC attempt www.microsoft.com/technet/security/Bulletin/MS07-026.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ldr/client01/ldrctl.php"; http_uri; content:"os="; nocase; content:"ver="; nocase; content:"idx="; nocase; content:"user="; nocase; content:"ioctl="; nocase; content:"data="; nocase; pcre:"/os\x3d.*\x26ver\x3d.*\x26idx\x3d.*\x26user\x3d.*\x26ioctl\x3d.*\x26data\x3d.*/smi"; classtype:trojan-activity; 16108 BACKDOOR trojan downloader exchanger.gen2 runtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453143306 10180 misc-attack 2004-1945 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL"; fast_pattern:only; pcre:"/^\s*MAIL\s+[^\s\n][^\n]{1006,}/smi"; metadata:service smtp; classtype:misc-attack; 3815 SMTP eXchange POP3 mail server overflow attempt 1869 attempted-dos 2000-1006 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"charset = |22 22|"; nocase; metadata:service smtp; classtype:attempted-dos; 658 SMTP exchange mime DOS 10558 www.microsoft.com/technet/security/bulletin/MS00-082.mspx 222 Server / Mail / Sendmail 2198 web-application-activity 2001-1044 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/inc/sendmail.inc"; http_uri; metadata:service http; classtype:web-application-activity; 1526 WEB-MISC basilix sendmail.inc access 10601 2311 attempted-admin 1999-0204 tcp $EXTERNAL_NET 113 -> $HOME_NET any flow:established,to_client; content:"|7C|sed|0A|'1,/^|24|/d'|7C|/bin/sh"; nocase; metadata:service ident; classtype:attempted-admin; 15936 SPECIFIC-THREATS Sendmail identd command parsing vulnerability 17192 attempted-admin 2006-0058 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:established,to_server; content:"Subject|3A| AAAAAA|CC CC CC CC CC CC|"; metadata:service smtp; classtype:attempted-admin; 16057 SPECIFIC-THREATS sendmail smtp timeout buffer overflow attempt 6991 attempted-admin 2002-1337 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:service smtp; classtype:attempted-admin; 2261 SMTP SEND FROM sendmail prescan too many addresses overflow 11316 7230 misc-attack 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:service smtp; classtype:misc-attack; 2262 SMTP SEND FROM sendmail prescan too long addresses overflow 11499 6991 attempted-admin 2002-1337 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:service smtp; classtype:attempted-admin; 2263 SMTP SAML FROM sendmail prescan too many addresses overflow 7230 misc-attack 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:service smtp; classtype:misc-attack; 2264 SMTP SAML FROM sendmail prescan too long addresses overflow 11499 6991 attempted-admin 2002-1337 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:service smtp; classtype:attempted-admin; 2265 SMTP SOML FROM sendmail prescan too many addresses overflow 7230 misc-attack 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:service smtp; classtype:misc-attack; 2266 SMTP SOML FROM sendmail prescan too long addresses overflow 11499 6991 attempted-admin 2002-1337 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:service smtp; classtype:attempted-admin; 2267 SMTP MAIL FROM sendmail prescan too many addresses overflow 7230 attempted-admin 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:service smtp; classtype:attempted-admin; 2268 SMTP MAIL FROM sendmail prescan too long addresses overflow 11499 6991 attempted-admin 2002-1337 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:service smtp; classtype:attempted-admin; 2269 SMTP RCPT TO sendmail prescan too many addresses overflow 7230 attempted-admin 2003-0694 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:service smtp; classtype:attempted-admin; 2270 SMTP RCPT TO sendmail prescan too long addresses overflow 11499 2311 attempted-admin 1999-0204 tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 flow:to_server,established; content:"|0A|D/"; metadata:service smtp; classtype:attempted-admin; 655 SMTP sendmail 8.6.9 exploit attempted-admin 1999-0203 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"mail from|3A| |22 7C|"; fast_pattern:only; metadata:service smtp; classtype:attempted-admin; 662 SMTP sendmail 5.5.5 exploit 10258 2308 attempted-user 1999-0203 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; 665 SMTP sendmail 5.6.5 exploit 2311 attempted-user 1999-0204 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; 667 SMTP sendmail 8.6.10 exploit 2311 attempted-user 1999-0204 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; 668 SMTP sendmail 8.6.10 exploit 2311 attempted-user 1999-0204 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"|0A|Croot|0A|Mprog"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; 669 SMTP sendmail 8.6.9 exploit 2311 attempted-user 1999-0204 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; 670 SMTP sendmail 8.6.9 exploit 2311 attempted-user 1999-0204 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; fast_pattern:only; metadata:service smtp; classtype:attempted-user; 671 SMTP sendmail 8.6.9c exploit protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET 110 flow:to_server, established; content:"STAT"; nocase; flowbits:set,pop3.stat; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 16594 POP3 STAT command misc-attack 2009-3837 tcp any 110 -> $HOME_NET any flow:to_client,established; content:"-ERR"; isdataat:718,relative; content:!"|0A|"; within:718; metadata:policy security-ips drop, service pop3; classtype:misc-attack; 16799 POP3 Eureka Mail 2.2q server error response overflow attempt archives.neohapsis.com/archives/bugtraq/2009-10/0170.html 16576 attempted-user 2005-2618 tcp $EXTERNAL_NET 110 -> $HOME_NET any flow:established,to_client; content:"Content-Disposition|3A| attachment"; nocase; content:"<a "; nocase; content:"href="; distance:0; content:!"|3E|"; within:500; pcre:"/<a\s+[^>]*href=[^>]{500}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service pop3; classtype:attempted-user; 17331 POP3 Lotus Notes HTML Speed Reader Long URL buffer overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 2535 POP3 SSLv3 Client_Hello request protocol-command-decode tcp $HOME_NET 995 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 2536 POP3 SSLv3 Server_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 3499 POP3 SSLv2 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 3500 POP3 SSLv2 Client_Hello with pad request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 3501 POP3 TLSv1 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 3502 POP3 TLSv1 Client_Hello via SSLv2 handshake request protocol-command-decode tcp $HOME_NET 995 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 3503 POP3 SSLv2 Server_Hello request protocol-command-decode tcp $HOME_NET 995 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; 3504 POP3 TLSv1 Server_Hello request 223 Server / Mail / POP3 791 attempted-admin 2006-6605 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; metadata:service pop3; classtype:attempted-admin; 1634 POP3 PASS overflow attempt 10325 1652 attempted-admin 2000-0841 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; metadata:service pop3; classtype:attempted-admin; 1635 POP3 APOP overflow attempt 10559 attempted-user 2010-0816 tcp $EXTERNAL_NET 110 -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,pop3.stat; flowbits:unset,pop3.stat; metadata: engine shared, soid 3|16595; 16595 POP3 Windows Mail remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-030.mspx 789 attempted-admin 2006-4364 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"USER"; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; metadata:service pop3; classtype:attempted-admin; 1866 POP3 USER overflow attempt 10311 830 attempted-admin 1999-0822 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; metadata:service pop3; classtype:attempted-admin; 1936 POP3 AUTH overflow attempt 10184 948 attempted-admin 2000-0096 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; metadata:service pop3; classtype:attempted-admin; 1937 POP3 LIST overflow attempt 10197 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; metadata:service pop3; classtype:attempted-admin; 1938 POP3 XTND overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; metadata:service pop3; classtype:attempted-admin; 2108 POP3 CAPA overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"TOP"; nocase; isdataat:50,relative; pcre:"/^TOP\s[^\n]{50}/smi"; metadata:service pop3; classtype:attempted-admin; 2109 POP3 TOP overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; metadata:service pop3; classtype:attempted-admin; 2110 POP3 STAT overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; metadata:service pop3; classtype:attempted-admin; 2111 POP3 DELE overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; metadata:service pop3; classtype:attempted-admin; 2112 POP3 RSET overflow attempt 7445 misc-attack 2002-1539 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"DELE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; metadata:service pop3; classtype:misc-attack; 2121 POP3 DELE negative argument attempt 11570 6053 misc-attack 2002-1539 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"UIDL"; fast_pattern:only; pcre:"/^UIDL\s+-\d/smi"; metadata:service pop3; classtype:misc-attack; 2122 POP3 UIDL negative argument attempt 11570 7667 attempted-admin 2003-0391 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+[^\n]*?%/smi"; metadata:service pop3; classtype:attempted-admin; 2250 POP3 USER format string attempt 11742 suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"USER"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:service pop3; classtype:suspicious-login; 2274 POP3 login brute force attempt 9794 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; metadata:service pop3; classtype:attempted-admin; 2409 POP3 APOP USER overflow attempt 10115 attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; metadata:service pop3; classtype:attempted-dos; 2502 POP3 SSLv3 invalid data version attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10116 attempted-admin 2003-0719 tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; metadata:service pop3; classtype:attempted-admin; 2518 POP3 PCT Client_Hello overflow attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; metadata:service pop3; classtype:attempted-dos; 2537 POP3 SSLv3 invalid Client_Hello attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10976 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s+[^\n]*?%/smi"; metadata:service pop3; classtype:attempted-admin; 2666 POP3 PASS format string attempt 133 attempted-admin 1999-0006 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:service pop3; classtype:attempted-admin; 286 POP3 EXPLOIT x86 BSD overflow 10196 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; metadata:service pop3; classtype:attempted-admin; 287 POP3 EXPLOIT x86 BSD overflow attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:service pop3; classtype:attempted-admin; 288 POP3 EXPLOIT x86 Linux overflow 156 attempted-admin 1999-0006 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; metadata:service pop3; classtype:attempted-admin; 289 POP3 EXPLOIT x86 SCO overflow 830 attempted-admin 1999-0822 tcp $EXTERNAL_NET any -> $HOME_NET 110 flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:service pop3; classtype:attempted-admin; 290 POP3 EXPLOIT qpopper overflow 10184 22083 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:service pop3; classtype:attempted-admin; 8429 POP3 SSLv2 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 25831 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:service pop3; classtype:attempted-admin; 8430 POP3 SSLv3 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 22083 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $HOME_NET 995 flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; metadata:service pop3; classtype:attempted-admin; 8431 POP3 SSLv2 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 21723 misc-attack 2006-6425 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AP"; nocase; isdataat:256,relative; pcre:"/\sAP[A-Za-z]{4}\s[^\n]{256}/smi"; metadata:policy security-ips drop, service imap; classtype:misc-attack; 10011 IMAP Novell NetMail APPEND command buffer overflow attempt 23172 attempted-admin 2007-1675 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AUTHENTICATE CRAM-MD5"; nocase; content:"|0A|"; within:2; isdataat:364,relative; content:!"|0D 0A|"; within:364; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 11004 IMAP CRAM-MD5 authentication method buffer overflow 24962 attempted-admin 2007-3925 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"charset"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s+[^\s]{250}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 12114 IMAP Ipswitch IMail search command buffer overflow attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 24962 attempted-admin 2007-3925 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"charset"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s*\{\s*/smi"; byte_test:5,>,250,0,string,dec,relative; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 12115 IMAP Ipswitch IMail search command buffer overflow attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 24962 attempted-admin 2007-3925 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"search"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s*\{\s*/smi"; byte_test:5,>,64,0,string,dec,relative; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 12212 IMAP Ipswitch IMail literal search date command buffer overflow attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 24962 attempted-admin 2007-3925 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"search"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s+[^\s]{64}/Osmi"; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 12213 IMAP Ipswitch IMail search date command buffer overflow attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 28245 attempted-admin 2008-1358 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"FETCH"; fast_pattern:only; content:"BODY"; content:"["; isdataat:256,relative; content:!"]"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 13663 IMAP Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt files.altn.com/MDaemon/Release/RelNotes_en.txt 23172 attempted-admin 2007-1675 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AUTHENTICATE CRAM-MD5"; nocase; content:"|0A|"; within:2; isdataat:300,relative; content:!"|0D 0A|"; within:300; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 15484 IMAP CRAM-MD5 authentication method buffer overflow 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(LicenseKey)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(LicenseKey))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16779 WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid access 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|C|00|E|00|A|00|3|00|F|00|B|00|1|00|-|00|7|00|F|00|8|00|8|00|-|00|4|00|8|00|0|00|3|00|-|00|A|00|A|00|8|00|E|00|-|00|A|00|D|00|0|00|2|00|1|00|5|00|6|00|6|00|9|00|5|00|5|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00C\x00E\x00A\x003\x00F\x00B\x001\x00-\x007\x00F\x008\x008\x00-\x004\x008\x000\x003\x00-\x00A\x00A\x008\x00E\x00-\x00A\x00D\x000\x002\x001\x005\x006\x006\x009\x005\x005\x00D\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16780 WEB-ACTIVEX EasyMail IMAP4 ActiveX clsid unicode access 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EasyMail.IMAP4"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22EasyMail\.IMAP4(\.\d)?\x22|\x27EasyMail\.IMAP4(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*LicenseKey\s*|.*(?P=v)\s*\.\s*LicenseKey\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EasyMail\.IMAP4(\.\d)?\x22|\x27EasyMail\.IMAP4(\.\d)?\x27)\s*\)(\s*\.\s*LicenseKey\s*|.*(?P=n)\s*\.\s*LicenseKey\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16781 WEB-ACTIVEX EasyMail IMAP4 ActiveX function call access 25467 attempted-user 2007-4607 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|a|00|s|00|y|00|M|00|a|00|i|00|l|00|.|00|I|00|M|00|A|00|P|00|4|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00a\x00s\x00y\x00M\x00a\x00i\x00l\x00.\x00I\x00M\x00A\x00P\x004\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00a\x00s\x00y\x00M\x00a\x00i\x00l\x00.\x00I\x00M\x00A\x00P\x004\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16782 WEB-ACTIVEX EasyMail IMAP4 ActiveX function call unicode access 14315 attempted-dos tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:" CREATE "; nocase; isdataat:180,relative; pcre:"/^[0-9]+\s+CREATE\s[^\r\n]{180}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-dos; 17239 IMAP Alt-N MDaemon IMAP server CREATE command buffer overflow attempt 14315 attempted-dos tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:" CREATE "; nocase; content:"{"; within:5; byte_test:8, >, 180, 0, relative, string; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-dos; 17240 IMAP Alt-N MDaemon IMAP server literal CREATE command buffer overflow attempt protocol-command-decode tcp $HOME_NET 143 -> $EXTERNAL_NET any flow:established,from_server; content:"WorldMail IMAP4 Server"; fast_pattern:only; nocase; flowbits:set,qualcom.worldmail.ok; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 17327 IMAP Qualcomm WorldMail Server Response 15980 attempted-admin 2005-4267 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; flowbits:isset,qualcom.worldmail.ok; dsize:>668; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 17328 IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow 21252 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"login|20 7B|"; depth:7; offset:3; nocase; byte_test:10,>,1023,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17503 IMAP MailEnable IMAP Service Invalid Command Buffer Overlow LOGIN 130 misc-attack 1999-0042 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; classtype:misc-attack; 1844 IMAP authenticate overflow attempt 10292 21724 misc-attack 2006-6424 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AUTH"; fast_pattern:only; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; classtype:misc-attack; 1930 IMAP auth literal overflow attempt 8861 misc-attack 2003-1177 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AUTH"; fast_pattern:only; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; classtype:misc-attack; 2330 IMAP auth overflow attempt 11910 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 2529 IMAP SSLv3 Client_Hello request protocol-command-decode tcp $HOME_NET 993 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 2530 IMAP SSLv3 Server_Hello request 10976 attempted-admin 2007-0221 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LOGIN"; fast_pattern:only; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 2665 IMAP login literal format string attempt www.microsoft.com/technet/security/Bulletin/MS07-026.mspx 11775 misc-attack 2004-1211 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; classtype:misc-attack; 3067 IMAP examine literal overflow attempt 15867 15006 misc-attack 2005-3155 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; classtype:misc-attack; 3068 IMAP examine overflow attempt 15867 11775 misc-attack 2004-1211 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"FETCH"; fast_pattern:only; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; classtype:misc-attack; 3069 IMAP fetch literal overflow attempt 15867 26219 attempted-admin 2007-3510 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 3073 IMAP SUBSCRIBE literal overflow attempt 15867 26219 attempted-admin 2007-3510 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service imap; classtype:attempted-admin; 3074 IMAP SUBSCRIBE overflow attempt 15867 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 3487 IMAP SSLv2 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 3488 IMAP SSLv2 Client_Hello with pad request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 3489 IMAP TLSv1 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 3490 IMAP TLSv1 Client_Hello via SSLv2 handshake request protocol-command-decode tcp $HOME_NET 993 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 3491 IMAP SSLv2 Server_Hello request protocol-command-decode tcp $HOME_NET 993 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; 3492 IMAP TLSv1 Server_Hello request 224 Server / Mail / IMAP 13764 attempted-admin 2005-1523 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"%"; content:"n"; distance:0; pcre:"/^\S*\x25(\d+\x24)?\d*h?n\s/sm"; classtype:attempted-admin; 12392 IMAP GNU Mailutils request tag format string vulnerability 23058 attempted-admin 2007-1578 tcp any any -> $HOME_NET 143 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13921; 13921 IMAP Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt secunia.com/advisories/24596 22792 attempted-admin 2007-0494 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"append"; nocase; pcre:"/^\d+\s+append\s[^\r\n]*\{[^\r\n}]{128}/i"; classtype:attempted-admin; 17369 IMAP MailEnable Service APPEND Command Handling Buffer Overflow 4713 misc-attack 2002-0379 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; isdataat:1024,relative; pcre:"/\sPARTIAL.*?BODY\[[^\]]{1024}/smi"; classtype:misc-attack; 1755 IMAP partial body buffer overflow attempt 10966 502 attempted-user 2007-2795 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LOGIN"; nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; classtype:attempted-user; 1842 IMAP login buffer overflow attempt 10125 1110 misc-attack 2000-0284 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; classtype:misc-attack; 1845 IMAP list literal overflow attempt 10374 1110 misc-attack 2000-0284 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; classtype:misc-attack; 1902 IMAP lsub literal overflow attempt 10374 1110 misc-attack 2000-0284 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; classtype:misc-attack; 1903 IMAP rename overflow attempt 10374 1110 misc-attack 2000-0284 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; classtype:misc-attack; 1904 IMAP find overflow attempt 10374 6298 misc-attack 2006-6424 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:service imap; classtype:misc-attack; 1993 IMAP login literal buffer overflow attempt 12532 4713 misc-attack 2002-0379 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:service imap; classtype:misc-attack; 2046 IMAP partial body.peek buffer overflow attempt 10966 21724 misc-attack 2006-6424 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"AUTHENTICATE"; fast_pattern:only; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:service imap; classtype:misc-attack; 2105 IMAP authenticate literal overflow attempt 10292 15006 misc-attack 2005-3155 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; classtype:misc-attack; 2106 IMAP lsub overflow attempt 10374 7446 misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; metadata:service imap; classtype:misc-attack; 2107 IMAP create buffer overflow attempt 15006 misc-attack 2005-3155 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; classtype:misc-attack; 2118 IMAP list overflow attempt 10374 1110 misc-attack 2000-0284 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; classtype:misc-attack; 2119 IMAP rename literal overflow attempt 10374 7446 misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"CREATE"; fast_pattern:only; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:service imap; classtype:misc-attack; 2120 IMAP create literal buffer overflow attempt suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:to_server,established; content:"LOGIN"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:service imap; classtype:suspicious-login; 2273 IMAP login brute force attempt 10115 attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; metadata:service imap; classtype:attempted-dos; 2497 IMAP SSLv3 invalid data version attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; metadata:service imap; classtype:attempted-dos; 2531 IMAP SSLv3 invalid Client_Hello attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10976 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LOGIN"; fast_pattern:only; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:service imap; classtype:attempted-admin; 2664 IMAP login format string attempt 15006 misc-attack 2005-3155 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; metadata:service imap; classtype:misc-attack; 3007 IMAP delete overflow attempt 15771 11675 misc-attack 2004-1520 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"DELETE"; fast_pattern:only; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; metadata:service imap; classtype:misc-attack; 3008 IMAP delete literal overflow attempt 15771 1110 misc-attack 2000-0284 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"COPY"; fast_pattern:only; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; classtype:misc-attack; 3058 IMAP copy literal overflow attempt 10374 21729 misc-attack 2006-6425 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"APPEND"; nocase; isdataat:256,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; classtype:misc-attack; 3066 IMAP append overflow attempt 15867 11775 misc-attack 2004-1211 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:service imap; classtype:misc-attack; 3070 IMAP fetch overflow attempt 15867 15491 misc-attack 2004-1211 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; classtype:misc-attack; 3071 IMAP status literal overflow attempt 15867 15491 misc-attack 2005-3314 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS[^\n]{100}/smi"; metadata:service imap; classtype:misc-attack; 3072 IMAP status overflow attempt 15867 11775 misc-attack 2004-1211 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; classtype:misc-attack; 3075 IMAP unsubscribe literal overflow attempt 15867 15488 attempted-admin 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:service imap; classtype:attempted-admin; 3076 IMAP UNSUBSCRIBE overflow attempt 15867 10976 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"SEARCH"; fast_pattern:only; pcre:"/\sSEARCH\s[^\n]*?%/smi"; metadata:service imap; classtype:attempted-admin; 4645 IMAP search format string attempt 10976 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"SEARCH"; fast_pattern:only; pcre:"/\sSEARCH\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:service imap; classtype:attempted-admin; 4646 IMAP search literal format string attempt 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5696 IMAP delete directory traversal attempt 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5697 IMAP examine directory traversal attempt 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5698 IMAP list directory traversal attempt 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5699 IMAP lsub directory traversal attempt 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5700 IMAP rename directory traversal attempt 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5701 IMAP status directory traversal attempt 26219 attempted-admin 2007-3510 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:attempted-admin; 5702 IMAP SUBSCRIBE directory traversal attempt 15867 15488 misc-attack 2005-3189 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; classtype:misc-attack; 5703 IMAP unsubscribe directory traversal attempt 15006 misc-attack 2006-1255 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"SELECT"; nocase; isdataat:100,relative; pcre:"/\sSELECT\s[^\n]{100}/smi"; metadata:service imap; classtype:misc-attack; 5704 IMAP SELECT overflow attempt 15006 misc-attack 2005-3155 tcp $EXTERNAL_NET any -> $HOME_NET 143 flow:established,to_server; content:"CAPABILITY"; nocase; isdataat:100,relative; pcre:"/\sCAPABILITY\s[^\n]{100}/smi"; metadata:service imap; classtype:misc-attack; 5705 IMAP CAPABILITY overflow attempt 22083 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:service imap; classtype:attempted-admin; 8438 IMAP SSLv2 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 25831 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $HOME_NET 993 flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:service imap; classtype:attempted-admin; 8439 IMAP SSLv3 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 21931 attempted-user 2007-0033 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"DTSTART|3B|"; nocase; content:!"value"; within:5; nocase; content:!"TZID"; within:4; nocase; pcre:"/^DTSTART\x3B/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 10012 SMTP Microsoft Outlook VEVENT non-TZID overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-003.mspx trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACeJY"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10065 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCOoZ0r3G4BoF+sIAADJgAAAArAAAJgAAuru3"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10066 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA71DL"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10067 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7xSw"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10068 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA78Ej"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10069 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA73lo"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10070 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/dT"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10071 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7+1C"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10072 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVW0u"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10073 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVee+"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10074 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALEir"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10075 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNBp"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10076 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNfY"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10077 SPECIFIC-THREATS Trojan Peacomm smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i45MQBVUFghDQkICKDx6PZ9cWtlZzUVAMY0AAAAZAAAJgAAqwTm"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10078 SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i45MQBVUFghDQkICEywTzzbc2+gVYUVAIGpAAAA2AAAJgAARIj9"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10079 SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i45MQBVUFghDQkICEywTzzbc2+gVYUVAIGpAAAA2AAAJgAARC1i"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10080 SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/2n"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10081 SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA76VO"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10082 SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection trojan-activity tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACWwe"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10083 SPECIFIC-THREATS W32.Nuwar.AY smtp propagation detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Beyond"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Report"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Beyond\s+Keylogger\s+Report\x2E\s+Id\x3d\x5b.*\x5d/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10088 SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453097340 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"|28 29|"; distance:0; nocase; content:"DivXProGainBundle"; nocase; content:"Registration"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*\x28\x29/smi"; pcre:"/DivXProGainBundle\s+registration/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 10453 BACKDOOR zalivator 1.4.2 pro runtime detection - smtp notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453084203 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Report"; distance:0; nocase; content:"from"; distance:0; nocase; content:"ChildWebGuardian"; distance:0; nocase; content:"filename=|22|report.html|22|"; fast_pattern:only; pcre:"/^Subject\x3a[^\r\n]*Report[^\r\n]*from[^\r\n]*ChildWebGuardian/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 11305 SPYWARE-PUT Snoopware childwebguardian runtime detection - send log through smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453099134 27835 suspicious-filename-detect 2007-6593 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Content-Disposition|3A|"; content:".123"; pcre:"/filename\s*=[^\n]*\.123/si"; metadata:policy security-ips drop, service smtp; classtype:suspicious-filename-detect; 12807 SMTP Lotus 123 file attachment www.coresecurity.com/index.php5?action=item&id=2008 4204 attempted-admin 2002-0055 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13718, policy security-ips drop, service smtp; 13718 SMTP BDAT buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms02-012.mspx misc-attack 2008-2247 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:misc-attack; metadata: engine shared, soid 3|13894, policy security-ips drop; 13894 SMTP Microsoft Outlook Web Access From field cross-site scripting attempt www.microsoft.com/technet/security/bulletin/ms08-039.mspx misc-attack 2008-2248 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:misc-attack; metadata: engine shared, soid 3|13895, service smtp, policy balanced-ips drop, policy security-ips drop; 13895 SMTP Microsoft Outlook Web Access invalid CSS escape sequence script execution attempt www.microsoft.com/technet/security/bulletin/ms08-039.mspx 18630 attempted-dos 2006-3277 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"HELO "; depth:5; content:"|00|"; within:2; metadata:policy security-ips drop, service smtp; classtype:attempted-dos; 13923 SMTP MailEnable SMTP HELO command denial of service attempt 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/smi"; byte_test:1, &, 64, 4, relative; byte_test:1, <, 160, 5, relative; byte_test:4, >, 35256, 6, relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15358 SMTP Adobe PDF JBIG2 remote code execution attempt 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; flowbits:isset,email.pdf; content:"KQklHMkRlY29kZ"; pcre:"/[A-Za-z0-9_\x2f][A-Za-z0-9_\x2f][BFJNRVZdhlptx159]KQklHMkRlY29kZ[QRSTUVWXYZabcdef][A-Za-z0-9_\x2f][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.jbig2decode; flowbits:noalert; flowbits:isset,email.pdf.javascript; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15359 SMTP Suspicious JBIG2 pdf file sent via email 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; flowbits:isset,email.pdf; content:"KYXZhU2NyaXB0"; pcre:"/[A-Za-z0-9_\x2f][A-Za-z0-9_\x2f][BFJNRVZdhlptx159]KYXZhU2NyaXB0/"; flowbits:set,email.pdf.javascript; flowbits:noalert; flowbits:isset,email.pdf.jbig2decode; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15360 SMTP Suspicious JBIG2 pdf file sent in email 18381 attempted-user 2006-1193 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"text/html"; distance:0; nocase; pcre:"/\x3c[^\x3e]*\x00[^\x3e]*\x3e/Rsmi"; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 15367 SMTP outlook web access script injection attempt 895 attempted-admin 2000-0042 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 1549 SMTP HELO overflow attempt 11674 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; flowbits:isset,email.pdf; content:"pCSUcyRGVjb2Rl"; pcre:"/[A-Za-z0-9_\x2f][EUk0]pCSUcyRGVjb2Rl/"; flowbits:set,email.pdf.jbig2decode; flowbits:noalert; flowbits:isset,email.pdf.javascript; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15494 SMTP Suspicious JBIG2 pdf file sent from email 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; flowbits:isset,email.pdf; content:"SkJJRzJEZWNvZZ"; pcre:"/SkJJRzJEZWNvZZ[UVWX][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.jbig2decode; flowbits:noalert; flowbits:isset,email.pdf.javascript; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15495 SMTP Suspicious JBIG2 pdf file sent by email 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; flowbits:isset,email.pdf; content:"phdmFTY3Jpcc"; pcre:"/[A-Za-z0-9_\x2f][EUk0]phdmFTY3Jpcc[QRST][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.javascript; flowbits:noalert; flowbits:isset,email.pdf.jbig2decode; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15496 SMTP Suspicious JBIG2 pdf file sent through email 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; flowbits:isset,email.pdf; content:"SmF2YVNjcmlwd"; pcre:"/SmF2YVNjcmlwd[ABCDEFGHIJKLMNOP][A-Za-z0-9_\x2f][A-Za-z0-9_\x2f]/"; flowbits:set,email.pdf.javascript; flowbits:noalert; flowbits:isset,email.pdf.jbig2decode; flowbits:unset,email.pdf.jbig2decode; flowbits:unset,email.pdf.javascript; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15497 SMTP Suspicious JBIG2 pdf file sent with email 7506 attempted-admin 2004-0399 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL"; nocase; content:"FROM"; distance:1; nocase; content:"|3A|"; distance:0; nocase; isdataat:260; content:!"|0A|"; within:260; pcre:"/^\s*MAIL\s+FROM\s*\x3A\s*\x3C?\s*[^\x3E\s]{257}\s*/mi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 15574 SMTP MAIL FROM command overflow attempt www.guninski.com/exim1.html 20091 attempted-admin 2006-4616 tcp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client,established; content:"|00 01|Q|80 04|9|06|v=spf1|0A|AAAAAAAAAA|0A|AAAAAAAAAA"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; 16025 SPECIFIC-THREATS MailEnable SMTP service SPF lookup buffer overflow attempt 35065 attempted-admin 2009-1636 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"AUTH"; nocase; content:"LOGIN"; distance:0; nocase; pcre:"/^\s*AUTH\s+LOGIN[^\x0a\x0d]{100,}(?<!\x0d)\x0a/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-admin; 16193 SMTP Novell GroupWise Internet Agent SMTP AUTH LOGIN command buffer overflow attempt 15752 attempted-admin 2005-2931 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL FROM|3A|c|3A 07|ppsipswitchstuser@%s%s%n%s%s%s"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 16201 SPECIFIC-THREATS Ipswitch Collaboration Suite SMTP format string exploit attempt 33560 attempted-user 2009-0410 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"RCPT TO|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT\x20TO\x3a\s*\x3c?[^\r\n\x3e]{256}(\x3e|\x0d|\x0a)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 16515 SMTP Novell Groupwise Internet Agent RCPT command overflow attempt attempted-dos 2010-0024 udp $EXTERNAL_NET 53 -> $SMTP_SERVERS any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16534, service dns, policy security-ips drop; 16534 DOS Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt www.microsoft.com/technet/security/bulletin/MS10-024.mspx 35064 attempted-admin 2009-1636 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"MAIL"; nocase; content:"FROM"; distance:0; nocase; pcre:"/^\s*MAIL\s*FROM\s*\x3a\s*(\x3c[\x3e]*\x3e|\S+)\s+[^\x09\x0a\x0d\x20\x3d]{40}/mi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 16597 SMTP Novell GroupWise Internet Agent Email address processing buffer overflow attempt attempted-user 2010-0266 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17034, service smtp, policy balanced-ips drop, policy security-ips drop; 17034 SMTP Outlook AttachMethods local file execution attempt www.microsoft.com/technet/security/bulletin/MS10-045.mspx attempted-user 2010-0266 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17035, service smtp, policy balanced-ips drop, policy security-ips drop; 17035 SMTP Outlook AttachMethods local file execution attempt www.microsoft.com/technet/security/bulletin/MS10-045.mspx attempted-user 2010-0266 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17036, service smtp, policy balanced-ips drop, policy security-ips drop; 17036 SMTP Outlook AttachMethods local file execution attempt www.microsoft.com/technet/security/bulletin/MS10-045.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F8D07B72-B4B4-46A0-ACC0-C771D4614B82\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(AddAttachments)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F8D07B72-B4B4-46A0-ACC0-C771D4614B82\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddAttachments))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17099 WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX clsid access osvdb.org/show/osvdb/64839 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|8|00|D|00|0|00|7|00|B|00|7|00|2|00|-|00|B|00|4|00|B|00|4|00|-|00|4|00|6|00|A|00|0|00|-|00|A|00|C|00|C|00|0|00|-|00|C|00|7|00|7|00|1|00|D|00|4|00|6|00|1|00|4|00|B|00|8|00|2|00|"; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x008\x00D\x000\x007\x00B\x007\x002\x00-\x00B\x004\x00B\x004\x00-\x004\x006\x00A\x000\x00-\x00A\x00C\x00C\x000\x00-\x00C\x007\x007\x001\x00D\x004\x006\x001\x004\x00B\x008\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17100 WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX clsid unicode access osvdb.org/show/osvdb/64839 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AOSMTP.Mail"; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22AOSMTP\.Mail(\.\d)?\x22|\x27AOSMTP\.Mail(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddAttachments\s*|.*(?P=v)\s*\.\s*AddAttachments\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AOSMTP\.Mail(\.\d)?\x22|\x27AOSMTP\.Mail(\.\d)?\x27)\s*\)(\s*\.\s*AddAttachments\s*|.*(?P=n)\s*\.\s*AddAttachments\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17101 WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX function call access osvdb.org/show/osvdb/64839 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|O|00|S|00|M|00|T|00|P|00|.|00|M|00|a|00|i|00|l|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00O\x00S\x00M\x00T\x00P\x00.\x00M\x00a\x00i\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00O\x00S\x00M\x00T\x00P\x00.\x00M\x00a\x00i\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17102 WEB-ACTIVEX CommuniCrypt Mail ANSMTP.dll/AOSMTP.dll ActiveX function call unicode access osvdb.org/show/osvdb/64839 attempted-admin 2010-2728 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17251, service smtp, policy security-ips drop; 17251 SMTP Outlook RTF remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-064.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"Content-Disposition|3A|"; nocase; content:"attachment"; distance:0; nocase; pcre:"/^Content-Disposition\x3A\s*attachment/smi"; flowbits:set,smtp.contenttype.attachment; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 17332 SMTP Content-Disposition attachment 16576 attempted-user 2005-2618 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; flowbits:isset,smtp.contenttype.attachment; content:"|0D 0A 0D 0A|begin|20|"; isdataat:278,relative; content:!"end|0D 0A|"; within:278; nocase; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 17333 SMTP Lotus Notes Attachment Viewer UUE file buffer overflow attempt 20290 attempted-admin 2006-5176 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17693, service smtp, policy security-ips alert; 17693 SMTP MailEnable NTLM Authentication buffer overflow attempt secunia.com/advisories/22179/ attempted-user 2006-3746 tcp $EXTERNAL_NET any -> $HOME_NET 25 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17697, service smtp, policy security-ips drop; 17697 SMTP GnuPG Message Packet Length overflow attempt secunia.com/advisories/21297/ 26200 attempted-user 2007-4222 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"<input "; nocase; isdataat:128,relative; pcre:"/<input\s+[^>]*?name\s*=\s*(3D=)?[^\x20]{128}/smi"; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 17717 SMTP IBM Lotus Notes HTML input tag buffer overflow attempt www-1.ibm.com/support/docview.wss?rs=477&uid=swg21272930 attempted-admin 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"|3A|"; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/^\s*Content-Transfer-Encoding\s*\x3A\s*[^\n]{100}/mi"; metadata:policy security-ips drop; classtype:attempted-admin; 2183 SMTP Content-Transfer-Encoding overflow attempt www.cert.org/advisories/CA-2003-12.html 8838 attempted-admin 2003-0714 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"XEXCH50"; fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 2253 SMTP XEXCH50 overflow attempt 11889 www.microsoft.com/technet/security/bulletin/MS03-046.mspx 7230 attempted-admin 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; pcre:"/^EXPN[^\n]{255}/smi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 2259 SMTP EXPN overflow attempt 7230 attempted-admin 2003-0161 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"VRFY"; nocase; isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/smi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 2260 SMTP VRFY overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"STARTTLS"; pcre:"/^STARTTLS/smi"; flowbits:set,starttls.attempt; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 2527 SMTP STARTTLS attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 2542 SMTP SSLv3 Client_Hello request protocol-command-decode tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 2543 SMTP SSLv3 Server_Hello request 7419 attempted-admin 2003-0113 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Type"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"; metadata:policy security-ips drop; classtype:attempted-admin; 3461 SMTP Content-Type overflow attempt www.microsoft.com/technet/security/bulletin/MS03-015.mspx 7419 attempted-admin 2003-0113 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Encoding"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]{300}/mi"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 3462 SMTP Content-Encoding overflow attempt www.microsoft.com/technet/security/bulletin/MS03-015.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 3493 SMTP SSLv2 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 3494 SMTP SSLv2 Client_Hello with pad request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 3495 SMTP TLSv1 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 3496 SMTP TLSv1 Client_Hello via SSLv2 handshake request protocol-command-decode tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 3497 SMTP SSLv2 Server_Hello request protocol-command-decode tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 3498 SMTP TLSv1 Server_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5685 SMTP TLSv1 Client_Hello via SSLv2 handshake request protocol-command-decode tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5686 SMTP TLSv1 Server_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5687 SMTP SSLv2 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5688 SMTP SSLv2 Client_Hello with pad request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5689 SMTP TLSv1 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5690 SMTP SSLv3 Client_Hello request protocol-command-decode tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; 5691 SMTP SSLv2 Server_Hello request successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Sender|3A| ActMon"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5790 SPYWARE-PUT Keylogger pc actmon pro runtime detection - smtp www.spywareguide.com/product_show.php?id=1989 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Computer IP Address|3A|"; nocase; content:"Attached to this email are the activity logs that you have requested"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5880 SPYWARE-PUT Keylogger spyagent runtime detect - smtp delivery www.spywareguide.com/product_show.php?id=22 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"|BA DA B0 B5 CC EC CA B9| 2.41 "; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*2\x2E41/smi"; flowbits:set,DKangel_Email; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6125 BACKDOOR dkangel runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,DKangel_Email; content:"yyt_hac"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6126 BACKDOOR dkangel runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"===========>"; nocase; content:"WinSession Logger"; distance:0; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 6207 SPYWARE-PUT Keylogger winsession runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453097713 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"<msn@msn.com>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Version|3A|"; distance:0; nocase; content:"CIA"; distance:0; nocase; content:"1.3"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Im\s+Online\s+\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6301 BACKDOOR cia 1.3 runtime detection - smtp notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"from|3A|"; nocase; content:"HTTP_RAT_"; distance:0; nocase; content:"subject|3A|"; distance:0; nocase; content:"there"; distance:0; nocase; content:"is"; distance:0; nocase; content:"a"; distance:0; nocase; content:"HTTPRAT"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"4"; distance:0; nocase; content:"u"; distance:0; nocase; content:"on"; distance:0; nocase; pcre:"/^FROM|3A|\s+HTTP_RAT_.*SUBJECT|3A|\s+there\s+is\s+a\s+HTTPRAT\s+waiting\s+4\s+u\s+on/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6397 BACKDOOR http rat runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-OEM|3A|"; nocase; content:"iOpus"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"GmbH"; distance:0; nocase; content:"X-Sender|3A|"; nocase; content:"iOpus"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"GmbH"; distance:0; nocase; pcre:"/^X-OEM\x3A[^\r\n]*iOpus\s+Software\s+GmbH.*X-Sender\x3A[^\r\n]*iOpus\s+Software\s+GmbH/smi"; metadata:policy security-ips alert; classtype:misc-activity; 6477 SPYWARE-PUT Hacker-Tool beee runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453060657 9696 attempted-admin 2009-0410 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 654 SMTP RCPT TO overflow successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A| |22|007 Spy Agent|22|"; nocase; content:"Subject|3A| 007 Monitoring Log Report"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 7184 SPYWARE-PUT Keylogger 007 spy software runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453082794 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"<title>"; nocase; content:"Actual"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"software"; distance:0; nocase; content:"report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\<title\>Actual\s+Spy\s+software\s+report\<|2F|title\>/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7505 SPYWARE-PUT Keylogger actualspy runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453086496 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"ATL"; distance:0; nocase; content:"CSmtp"; distance:0; nocase; content:"Class"; distance:0; nocase; content:"Mailer"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Robert"; distance:0; nocase; content:"Simpson"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*ATL\s+CSmtp\s+Class\s+Mailer\s+by\s+Robert\s+Simpson\s+\x28robert\x40blackcastlesoft\x2Ecom\x29/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7551 SPYWARE-PUT Keylogger ardamax keylogger runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453094248 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"JMail"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Dimac"; distance:0; nocase; content:"NiceSpy's"; nocase; content:"email"; distance:0; nocase; content:"assistant"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*JMail[^\r\n]*by[^\r\n]*Dimac/smi"; pcre:"/^NiceSpy\x27s\s+email\s+assistant/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 8544 SPYWARE-PUT Keylogger nicespy runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453097309 not-suspicious tcp $HOME_NET 25 -> $EXTERNAL_NET any flow:established,to_client; content:"220 YahooPOPs!"; flowbits:set,ypops.banner; flowbits:noalert; metadata:service smtp; classtype:not-suspicious; 8704 SMTP YPOPS Banner trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Yid5ICdT|0D 0A|J2sneSdOJ2UndCcuJ0MnWicgJ0MnbydyJ3AqJwAAJ0QncidvJ3AncCdlJ2QnUydrJ3knTidl|0D 0A|J3QnACdTJ2sneSdOJ2UndCdGJ2knZydoJ3QncydCJ2EnYydrAAAAAHVzZXJj"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9326 SPECIFIC-THREATS netsky.p smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EP&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9327 SPECIFIC-THREATS netsky.af smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"zhangpo"; fast_pattern:only; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*zhangpo/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9328 SPECIFIC-THREATS zhangpo smtp propagation detection www.spywareremove.com/removeZhangpo.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"Trojaner-Info<webmaster@trojaner-info.de>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Trojaner-Info Newsletter"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Trojaner-Info<webmaster@trojaner-info\x2Ede>/smi"; pcre:"/^Subject\x3A[^\r\n]*Trojaner-Info\sNewsletter/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9329 SPECIFIC-THREATS yarner.b smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2002-021912-4244-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"o/lN3R5KdgmabpkbqcebrJGVMv/b3+ITcXF4dYrKKEjm3bi1PPcb8ZqKgf//hf6sWTRLdExjstH/|0D 0A|x69YBOSAkClWPEs4oEv//3+BfjW9C702c15JmOUe8W2ey1TAvxOujvc6/7/1/0UA4y/RTfLKo95+"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9330 SPECIFIC-THREATS mydoom.e smtp propagation detection www.f-secure.com/v-descs/mydoom_e.shtml trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"lo5vuBR4VSCJ1pbUTU2ox8gc4A7MEBs3U817uUY7ImH0QRZX+0j2rTCxLjEuMiWWIIQOBqYHIChO|0D 0A|szw6IGwkHhEcctMplAHMtW17PTAB6V1wlG2EO/ggyW8ZTQYiUQdbzhMuIwM4aEvQxSUDthPd7S6"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9331 SPECIFIC-THREATS mydoom.m smtp propagation detection www.f-secure.com/v-descs/mydoom_m.shtml trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"g8QMX15bw1WJ5VNWV1VqAGoAaJIQQAD/dQjoVkYAAF1fXluJ7F3D/FWJ5YPs|0A|CFNWV1WLXQyLRQijMEBHAIkdNEBHAPdABAYAAAB1colF+ItFEIlF/KM0QEcAjUX4iUP8"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9332 SPECIFIC-THREATS mimail.a smtp propagation detection www.sophos.com/virusinfo/analyses/w32mimaila.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"don't be late!"; distance:0; nocase; content:"gBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAA|0A|AABQRQAATAEDAEKhoz8AAAAAAAAAAOAADwELAQI3ADAAAAAQAAAAIAcA0FIHAAAwBwAA"; pcre:"/^Subject\x3A[^\r\n]*don't\sbe\slate!/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9333 SPECIFIC-THREATS mimail.e smtp propagation detection www.sophos.com/virusinfo/analyses/w32mimaile.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"TeRqfPMR5vXWeeZ2NfAaLY1DVPPPFiBi5r34VPgF8sIEpG0shzV4b30euDVoQer6QFQy78snUIPq|0D 0A|EWuSIUAv+OGl1QNYkJXTV5/HzOViMIBfVAY2WQpM6/DVgZ5n8h0ILVu+fjHF1MpcoGgQjIjsDs68"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9334 SPECIFIC-THREATS lovgate.c smtp propagation detection www.f-secure.com/v-descs/lovgate.shtml trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"0UMVleLfQgz|0D 0A|0jPJM/aAPwB0KVNqAVsr34ldCIr3/+3/H4D7LnUMiAwCi1UgyQPX6wWIXAYBQUZHJ/v/bXd1|0D 0A|4VsYgGQPAI1GAV9eXcOLRCQIU0xv/3+7fCQQTYH6AAgAAH06D7YIhc"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9335 SPECIFIC-THREATS netsky.b smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"MS4yNAC20aXJDAkCCFGoGZhQ27pRMAYDAAE/AAAAfAAAJgUAOP//|0D 0A|//9Vi+yLRQxWV4t9CDPSM8kz9oA/AHQpU2oBWyvfiV0Iivf/7f8fgPsudQyIDAKLVSDJA9fr|0D 0A|BYhc"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9336 SPECIFIC-THREATS netsky.t smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"g8QMhcB1Fv////+DffwCdA5qZP8VYHBAAEaD/gJ81jPAXsnD|0D 0A|i0QkDIHsKN5+97cBKlNVVos1bB1XM+1oABAQVccA7d9s7xYA/9ZQNWiL2DvdD4RWAhL2N7f2|0D 0A|ahFqAgEV"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9337 SPECIFIC-THREATS netsky.x smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.X trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"LjI2BDAAorXCxzNJTUVPLDRQ04B9WAN1VEJ5QE1mwWlkOx4gVjm42kp3LOx0Ni1UeepAb S3soFBE|0D 0A|2eN0L/d4UADTtkc7IQkKO a/NWrhyPSJSInMFcbG2vdotVqfZNTFPGIKG5hzoQwecasmOtdZACjEX"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9338 SPECIFIC-THREATS mydoom.i smtp propagation detection www.f-secure.com/v-descs/mydoom_i.shtml trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"PROSAC"; distance:0; nocase; content:"DQoJV2Vs|0D 0A|Y29tZSB0byBQUk9TQUMgKG11bHRpbWVkaWEgcGFjaykNCgkt"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9342 SPECIFIC-THREATS paroc.a smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2002-061121-1025-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; content:"filename="; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9343 SPECIFIC-THREATS kadra smtp propagation detection www.kaspersky.com/news?id=260&ipcountry=CA#kadra trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"LUiv0xc0fDsKfdy6TB2EYeFCZcNNW9Fcgwxvsi/DSNbYGn8xV1NBSNxudS4jtCC5C7sLb3Ox|0D 0A|0DUKCK6zY6tuhRdoiOEtaER0YnkD4HJsDytowG4HfAwFd6v4YW9h1I54fvsQwTeyUEUGTAEG"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9344 SPECIFIC-THREATS kindal smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-073016-2910-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"xfs9Znq3mJL1CnQXg0epFP4RHBO0n6naXaPhHWdmQaxirccYvMqyYqxiVpY//VZeM7veQEB19ehg|0A|YFK0if9HLNsz9SBqjj/QOGh01hINh2u4f6VGfrwbNSTdzqkjQnZKcB1Ind/UezfRD6KGUHmZkXfy"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9345 SPECIFIC-THREATS kipis.a smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41312 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X3uiXQhvcqrqewRXAmwUkkt+UZVKSCEfAJD16IpxOluoZPgwsCe6T1GNq38tD7G1LQylWfNIZQMc|0D 0A|9sKWsKp24Yz3UxXUVnc++jxshJFqXMM2hAlWyzoRY39o9hbXxNVHGfm7emXOlh8fZP2CLWIe1AHv"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9348 SPECIFIC-THREATS morbex smtp propagation detection www.www.f-secure.com/v-descs/morbex.shtml trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"+FVQACNg1tXQABQV7hVQed3/9BWV7guaud3/9ALwHQW6IkPAADotxQAAOjqFAAA/7NPVkAAw42DZVVAAFBqAGoAuMTC53f/0I2DWVBAAGoAagBTUGoAagC4N6znd/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9349 SPECIFIC-THREATS plemood smtp propagation detection www.2-spyware.com/remove-i-worm-plemood.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"QIi1QkEIkCuAMAAADDU1ZXi0QkEFBq/mgAEEAAZP81AAAAAGSJJQAAAACLRCQgi1gIi3AM|0A|g/7/dCA7dCQkdBqNNHaLDLOLTCQIi0gMg3yzBAB11/9Uswjr0WSPBQAAAACDxAxfXl"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9350 SPECIFIC-THREATS mimail.k smtp propagation detection www.sophos.com/virusinfo/analyses/w32mimailk.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"+3UubBZU6QPutdRcZrPEvAZmzZcNakN47VPYbNzc7Nrua2tqc5hULfvf2fjX3Ec6W|0D 0A|bgNaUl7vgcZCDx77BhbeP1Jav5WWRj/8Tjd7mGGE798zp8rczW6tVaQvEyw5Ww3WpU0MwG5nq6G5"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9352 SPECIFIC-THREATS lovgate.a smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"i8Zew4tMJAQzwDgBdAdAgDwIAHX5w1WL7ItFDFOLXRRWVzP/M/aJRQyFwIldFHUM/3UI6Mz///9Z|0D 0A|iUUMhdt1DP91EOi8////WYlFFItFFDlFDHdqg30YAHQjhcB2Uzt1DHNTi00Qi1UIigwPOgwWdQNG"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9358 SPECIFIC-THREATS fizzer smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-050821-0316-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"ogoKgD0WhnQSv/XEJq4JCv4wgevPaFDDmyXYndHSgSQEAaqXBpIrHzOgDxW/HTNqUNgsI75gYINA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9359 SPECIFIC-THREATS zafi.b smtp propagation detection www.sophos.com/security/analyses/w32zafib.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"HgAAAAAAAAAAAAAAAAAAQAAA|0D 0A|wDEuMjIAVVBYIQwJAgkUTDlhQxNezL9kAACkGQAAIEAAACYAABn+//L/McBA|0D 0A|i0wkBPdBBAYAdA+LRCQIi1QkEIkCuAO5/3fvEMNTVlc"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9360 SPECIFIC-THREATS cult.b smtp propagation detection www.sophos.com/security/analyses/w32cultb.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| Re[2]"; nocase; content:"Hi Greg its Wendy."; distance:0; nocase; content:"I was shocked, when I found out that it wasn't you but|0D 0A|your twin brother!!!"; distance:0; nocase; content:"name=|22|wendy.zip|22|"; distance:0; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9361 SPECIFIC-THREATS mimail.l smtp propagation detection www.sophos.com/virusinfo/analyses/w32mimaill.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"f+xt2OHdR5d|0A|oYEgACjEdRRHXvYmP9iDPXUL7TXuZkm+6wfHeTAGsEn3sfxyGYt9/GE5yHe7tcZ/Hhj4ORt835ps|0A|Mx+zk+UMO/RnXp7d+QBQQEz4gFL098fbv+3/G3"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9362 SPECIFIC-THREATS mimail.m smtp propagation detection www.sophos.com/virusinfo/analyses/w32mimailm.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"wJ0D69ErgiOVIAQiQK4|0D 0A|A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOjUgMFhgcAyDHv7/dNw7//Hs|0D 0A|GgONNHaLDLNkqzBID3xOBAF11/9U3/Dr0WQojwU2AIPEDF9eW8NVN4nlu2dq"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9365 SPECIFIC-THREATS cult.c smtp propagation detection www.sophos.com/security/analyses/w32cultc.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"AAAAAAAAAAx|0A|AMBAi0wkBPdB5gbhjwJ0D69ErgiOVIAQiQK4A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOj Ug|0A|MFhgcAyDHv7/dNw7//HsGgONNHaLDLNkqzBID3x"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9366 SPECIFIC-THREATS mimail.s smtp propagation detection www.sophos.com/virusinfo/analyses/w32mimailm.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"i9iF2w+EggAAAItrCIvFA0MMi9CNDDcr0YP6DH8Ei/gr/ovGK8WD+Ax9FI1M|0D 0A|JAGL1itTCAPXi8Xoxfv//+sRjUwkAYvXg+oEjUYE6LL7//+LbCQBhe10NIvV"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9367 SPECIFIC-THREATS anset.b smtp propagation detection www.bullguard.com/virus/default.aspx?id=51 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"0ZpkFIcReXCdLfAeEs4k5jglICV+BEij4zH+Xi5QwyfgLb+rO0XnE1xMuyBdVbgW95IPgAVLAnSC|0D 0A|g/5gJes8k0qLVgSAmSvKuNMATWIQ9+HB6gYajUIFsMBdgfogIBxSfyxQ0g6YSxpQiQ8WSQnT55rV"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9368 SPECIFIC-THREATS agist.a smtp propagation detection www.sarc.com/avcenter/venc/data/w32.agist.a@mm.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"OwT4dgXDeVgnYHMODdBsTCbwmeciQpDLT1c3bLF1CDPoOT4eiUYEQgtW6Dyq/V0eWdlNFpXqMULp|0D 0A|QSWsmyBXNyoMu5xxWfoEcA/D8fxQV4hosCndivKbkCHoTCa6MLVnCwngBJFJlBHr7ka36Cpo/Mib"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9369 SPECIFIC-THREATS atak.a smtp propagation detection www.sophos.com/security/analyses/w32ataka.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"22cYrYFsp1tV//KXbPbtRRQ4EnUCswFdIl62BQ6BxjtHcmMEwQ573GF0vGNi9B8wPXivfVoL|0D 0A|N9j04cZWzkL7aT31JBRq3/LZM/lJiQo0hUcu9GPvsGExeAQ1eAxsh/8gV4B9/iB1C7h0dRD3"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9370 SPECIFIC-THREATS bagle.b smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-021713-3625-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"ndAzKAZ0SFmzPdMu6kksSBpMnHn8vHAZLueGBstFWTfqLp3bQgJcaVOxM0W4oc81kinf/QiC|0D 0A|+bYxBaedDbd49u4ktkyUTrFK2ic8FKQI9pXU8vrTcz6RnwRxwAqTRZrKIhN6nL2ivbJIRTmf"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9371 SPECIFIC-THREATS bagle.e smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-022809-3232-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"JfzwQACLwP8lnPFAAIvA/yWY8UAAi8D/JZTxQACLwP8lkPFAAIvA/yWM8UAAi8D/JYjxQACLwFOD|0D 0A|xLy7CgAAAFToYf////ZEJCwBdAUPt1wkMIvDg8REW8OLwP8l+PBAAIvA/yX08EAAi8D/JfDwQACL"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9372 SPECIFIC-THREATS blebla.a smtp propagation detection www.sophos.com/security/analyses/w32bleblaa.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"S|23|L1GP]U%A!BA-RBY5.|0A|ME>|24|20PNL^|3A|79|24|U|3A|1'G`.+BZ6VD,4|5C|Q,T?!TID7%|3A|+T-SH5|23|K.7|24|^|22|G|5C|]NQ|22|=|0A|M'BUUUU@|5C|MBZ_D[^]<&L6R0/2B|3A|@8|23|!T`"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9373 SPECIFIC-THREATS clepa smtp propagation detection www.logiguard.com/spyware/i/i-worm-clepa.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"i8iFyXUFM8BeW8OhUIREAIkBiQ1QhEQAM9KLwgPAjUTBBIseiRiJ|0D 0A|BkKD+mR17IsGixCJFl5bw5CJAIlABMOLwFNWi/KL2Oid////hcB1BTPAXlvDixaJUAiLVgSJUAyL"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9374 SPECIFIC-THREATS creepy.b smtp propagation detection www.emsisoft.com/en/malware/?Email-Worm.Win32.Creepy.b trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"+QAEAE1FhFEAAaABBIAD/VCMgIADcAAAABJnSlP+aThqAAKRKqKioqDQAAABA|0D 0A|Q/hAAQDQfAIgACn/KoVAQACjzQ0IAE0AocDVAACa//81cw0IAP9RJUBAADNaKVL/qebQEAAaEtAQAP+opCAgAIUMdAYaEtAQAP+oxCAgADSQGoAA/xXkICAAQJ5EiAgA"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9375 SPECIFIC-THREATS duksten.c smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2002-122016-4223-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"AAACAAAAQAAAAAQAAAANAAoAAAAAABgAAABcAGYAaQBzAGgAbABlAHQALgBiAGkAbgAAAAAAVgAA|0D 0A|AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9376 SPECIFIC-THREATS fishlet.a smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=12285 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"B0QnUGCDNE08WiwoB4MNMsggGBAnBHf27GA//CMX7CNH5A/y7CBNQdTAI5e4I0jTDHaoB5xkkCCD|0D 0A|DTaIF4QvfIMNMth0H2xkB1wMMsggVExEMthgg0B/MEco0jSDDRwPFFoIybODDQAH/CIv9CLBXjPY"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9377 SPECIFIC-THREATS mydoom.g smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-030213-0918-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Zacc/sWcQrpGNGbPzJedST7hJMXZJVKNy7LLBP2V90UwX7IHSyhFxPPTlRpdlJtxYLAU3s+E|0D 0A|ekcFyTLIwRYHVjWm16JZXIxAhQROCT/c+L5SU8juIBBaGTg21xUr52qxnAfzmZdzLksQUE+0"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9378 SPECIFIC-THREATS netsky.q smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-032913-5722-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"xAJ2g9vb5s6MgEwifAAA99d2k9vrFPl057JOQIiRxvTw54r4l64U/qrFiXxGSJOoS9u77/mo|0D 0A|T/01iESEpu/wemHvlfNyYs+hogBpkojHr6r1w6r5OLdqdovbvwQmcoqsu7aPznGT+6qsCYET"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9379 SPECIFIC-THREATS netsky.s smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-040512-2436-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Lara Wallpaper Download Software"; distance:0; nocase; content:"I found on the net a new interesting software about Lara Croft"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9381 SPECIFIC-THREATS lara smtp propagation detection www.sophos.com/security/analyses/mirclara.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"W4niV2CNlkzNbJ91T1IgkFpIUag2/cL3Sy5za4C8BhwOwEDr72oCP3sBuUkp0D0NoEh1djz3tvfr|0D 0A|PY2GLMgIGNbPfqP9LTUUqLLXdKC4DoH+8FHNt922QnUL9OtN9dKAdLrOtrM5zrElF1Bw9RA101DY"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9382 SPECIFIC-THREATS fearso.c smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=35646 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"SzXgMkNWL9sVG+tK+PAvoGAHIBs6uGCk+LimunCOdVZetTLfshMihnVwSZSOMgbeJ1nQ2VuH|0D 0A|OE0A6SCpjgS431+O+Uwr0hbFwC0Tt9gjk5n006G2DLQ93fwnPbO2fmzcaPYFYNhTijcHgc6u"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9383 SPECIFIC-THREATS netsky.y smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-042011-2621-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"bszmmP1TlDRGFDA1uDG1GyF3fw7zQae3hTJk7dtK0xmjv339SvtDPLhswsFAGUQX34naqqcKxEjp|0A|yns2FwCn9oiRtoiyYFfwAsT6v/2SvioeIkj2WAb6lQoNyzLUhbQtpekiV9ZUpOW2u4Lv73FPrkud"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9384 SPECIFIC-THREATS beglur.a smtp propagation detection www.viruslibrary.com/virusinfo/I-Worm.Beglur.a.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"UP8VWBIAAYPEDI1FoFBoAgEAAP91cP8VVBIAAf91cP8VUBIAAenf/v//aHQTAAFqCv81XIAAAf91|0D 0A|eOsTi0V8aHQTAAFqDP81XIAAAf9wDP8VCBIAATPAX15bg8VoycIQAFeLfCQMM8CD/wF2U1aLdCQM"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9385 SPECIFIC-THREATS collo.a smtp propagation detection www.viruslist.com/en/viruses/encyclopedia?virusid=23787 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"LkRMTAAAAEdldFByb2NBZGRyZXNzAAAATG9hZExpYnJhcnlBAAAARXhpdFByb2Nlc3MAAABW|0D 0A|aXJ0dWFsQWxsb2MAAABWaXJ0dWFsRnJlZQAAAE1lc3NhZ2VCb3hBAAAAAABqe5M2t6ajjak1"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9386 SPECIFIC-THREATS bagle.f smtp propagation detection www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45199 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"VdBjl"; content:"VdBjlpmHLVfqaPUitmytmlPwIiJiViqPhDwHsP8fO2CDfCpkZVVqQCfFgXUtB+gfgDUcrZZOjpqX|0A|l20NIkQDEwEOAOwgy2VA5OSAJBx7JeRs391cnLJAlivkZdzcmZBvNipSWthsl41k2B3UrdTsguvQ"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9388 SPECIFIC-THREATS mimail.g smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=37467 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"H3Vi96OpogVHcLpTQXO9Nsx0cnR1FCErIXOpKbYFbDzudjBsaQIXui4IaYZfDmRymAFceHlQ|0D 0A|RUwBBGJkRWT5f0ie4AAPAQsBBQwAMlZy9r13ED8EMA1ACwIn3SzYBDMHDMA9b2BnsYMeNBAH"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9389 SPECIFIC-THREATS bagle.i smtp propagation detection www.sarc.com/avcenter/venc/data/w32.beagle.i@mm.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"A8Hjz"; content:"A8Hjz1XwgeLbymX/OMH6BAnTW4NTKTT7VvYLxgQ+PRHBjYpIBpIj7OxkWZbl8A8C7MD+SqZkBhTr|0A|VP9NDD+w5chL7D866BN1I2Vn7giaB2cqOQ1LZIaFNwpjlXTaJQ+TCqW4q6H"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9391 SPECIFIC-THREATS mimail.i smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-111317-1701-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"AFM8bJHtPFvDEkEXcUExflY49kR1cEEIUkM9CVRyaW0/TddNAkkvfRRVUkxRaCWgRLFeZa2d|0D 0A|ppsmHIgcP6Qp8ve2TB1lRQtVcHAiPE23aXCUdGYrkyxJZUtwfXxuCusU7RVxrDNuboGBhT0s"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9392 SPECIFIC-THREATS bagle.j smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EJ&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"RcJ0RFKbuZlqeaaoQ76D0Tf6ESD+RgjrN6QDtvvsvNXbR6BlXZviaG3d1NJtmU++UEmRCixX|0D 0A|RCaDz8IzdWIidAq1dzJwwTvIJglu/0IQwX8WrLD6EheQRlQhil5PQbv9oC3Y0HgAfIERnIb5"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9393 SPECIFIC-THREATS bagle.k smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EK&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"UwFU9VVzpIrXAls0zlhDNOHldmMULkXDsJRNQZiPekC47DW5vF9mS3gKhBe2I0JSPouRMRBl|0D 0A|w8AJvAcDlRprEHbYgf+GOmWVzZa5XNbrM7AlDCyZfmBiCbABUFgAlCxXE2JRonBJRXLSoLAA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9394 SPECIFIC-THREATS bagle.n smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FBAGLE%2EN&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"1eO8sLlq7UIor1GwCmto7XsiMt9GchrcNlbVPh1GT18n0EDLTWKdYxpB5nZPeoxCHDzQuKOyEtsb|0D 0A|MCqnv2Y1wJoGWMGEslVIzj05hLSGDTLIbGy0uaslY66ENTqEiiXk5HxsL8KRnL2EpjwzDZScLR3G"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9397 SPECIFIC-THREATS neysid smtp propagation detection www.spywareremove.com/removeIWormNeysid.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"YjpDKytIT09LkOkckUAAoQ+RQADB4AKjE5FAAFJqAOglfQAAi9DoMhgAAFroyAsAAOgrGAAAagDo|0D 0A|PCQAAFlouJBAAGoA6P98AACjF5FAAGoA6ddeAADpaiQAADPAoAGRQADDoReRQADDYLsAULC8U2it"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9398 SPECIFIC-THREATS totilix.a smtp propagation detection www.viruslist.com/en/viruslist.html?id=4097 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"AExhWABYYUwAWGFMAE5ld19GYW1vdVNfR2lyTHMAQS5TLk4uAFNNVFA6VGhlX0hhbmdlZEBqYXp6|0D 0A|ZnJlZS5jb20AU01UUDpUaGVfSGFuZ2VkQGhvdG1haWwuY29tAFNleF9TcGFtXyxfRXhjdXNFX01l"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9399 SPECIFIC-THREATS hanged smtp propagation detection www.emsisoft.com/en/malware/?Worm.Win32.Hanged trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"cPf//1ChHGtAAFDokPv//6Eca0AAUOh1+///i0UIuhhnQAC5AAQAAOhn9v//M8BaWVlkiRBonzpA|0D 0A|AI1F+LoCAAAA6E31///D6b/v///r61tZWV3CBACLwFWL7DPAVWjHOkAAZP8wZIkgM8BaWVlkiRBo"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9400 SPECIFIC-THREATS abotus smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2001-082919-3906-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"NNQX1qMoBi2hCzN5hBb/0LqoYbyhKHgQBVpTEUeLLRgDTO6MTZFsBeto+Gr/qFzvz1uPXM5c|0D 0A|j1s8XFzuo1yuz1ysXPhc81zPXDxcXPNcz1w6XOs7XDxcXPNcz1yuzl7jXu4+XTpePF1d8136"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9403 SPECIFIC-THREATS netsky.aa smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EAA&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"cG51RlelhMtbU7QpjWKxOTvQLS+4wB20IzjrIlOWMc5XP3AcIgGMOETE8DI5fRIUfhDaJzhT|0D 0A|RPRpWWAQFKHEl02LHRYUHOqsbkd8SKZGHURgndMOfSCyIMVz/7cu1hIk3EZ8IEmLghDkO9/D"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9404 SPECIFIC-THREATS netsky.ac smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39026 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9405 SPECIFIC-THREATS netsky.af smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"OziaMMstyp3ZvEfNLZDdGUotsJcU9AUzGyIbVCkkslc8AX44pHVQ7cFVd7zMsneJSAaBvoS3iUeo|0D 0A|hlEQ24NXuyvw8X2q88Vmjnqxjk0ouK8Fqb71DLdEZ2FbTDGrGuRodeFwiNi+pKq863l"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9406 SPECIFIC-THREATS lovgate.e smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-030416-4942-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"ZT0iTVMtNTYwOTVNX1BBVENILmV4ZSINCgAAAP////8XAAAAQ29udGVudC1JRDogPFNPTUVDSUQ+DQoA/////w4AAAAtLS0tQUJDREVGLS0NCgAA/////wUAAAANCi4NCgAAAP////8GAAAAUVVJVA0KAABDOlxNUy01NjA5NU1fUEFUQ0guZXhlAAD/////EwAAAEM6XExpc3Rl"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9408 SPECIFIC-THREATS lacrow smtp propagation detection research.sunbelt-software.com/threatdisplay.aspx?name=W32.Lacrow@mm&threatid=53187 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"OsJMFEHYgBh19HlTYBliOtoPlfhIFVsjwTiRgBgMU+ZVSARWhclXidGWdED5LdJLArJcQ1DSfENl|0D 0A|cmgc0ooDhxdHUODyQ//V6tBJVtc2IBPS7SAmCAw7wXUWiRzJMEgI5UA/pM45Gl1qDJkPuJI/4V6j"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9409 SPECIFIC-THREATS atak.b smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-120309-3312-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"CpDwPVgF2ygS8h34dA18deYVsUYkiCjCrsbvJAcQwjPoYwKqVdMfCFQH/RrpYmxALn3s4A8S|0D 0A|hAMBMRpXBAZoVgfiM0gukIQZD8YQg+h6M3huCoaqDMuXcF0x"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9410 SPECIFIC-THREATS netsky.z smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=38949 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"on0MCbCSCWxk8BZK8Pbft5+D4wPB489V8IHiOMH6BAnTW7+wrVyDUyk0xgQ+PTmyb2URwUKK|0A|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9411 SPECIFIC-THREATS mimail.f smtp propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMIMAIL%2EF&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"cXJ1dmFiemFickBob3RtYWlsLmNvbT4NCgA8cmVkQGZuYS5zZT4N|0D 0A|CgA8ZGViYXR0QHN2dC5zZT4NCgA8c3VzYW5uZS5zam9zdGVkdEB0aWRuaW5nZW4udG8+DQoAPHNr|0D 0A|b2x2ZXJrZXRAc2tvbHZlcmtldC5zZT4NCgA8bWFyeS5tYXJ0ZW5zc29uQGFmdG9uYmxhZGV0LnNl"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9413 SPECIFIC-THREATS ganda smtp propagation detection www.sophos.com/security/analyses/w32gandaa.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"dGpuby9meWYAT1VUTE9PSy5FWEVOZXRDYXB0b3IuZXhlbWlyYzMyLmV4ZWFpbS5leGVZcGFnZXIu|0D 0A|ZXhlAHV2anNidWRpYm9kdnBkZXBqb2J6QXpiaXBwL2RwbgBOUUhfTE9WRQBsb3ZlX2xvcm5AeWFo|0D 0A|b28uY29tAE5RSF9MT1ZFTE9STgB0aHV5cXV5ZW5AeWFob28uY29tAE5RSABsb3ZlbG9ybkB5YWhv"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9414 SPECIFIC-THREATS lovelorn.a smtp propagation detection www3.ca.com/securityadvisor/pest/pest.aspx?id=35041 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"YGVjaG9yIHdwdW4zJXMGZNs+6WEKUxRsRxYMIXDnZ2d04XN1cMku+XjqlhcKcXVpdA9HZoxeLSBzOowm80FoWlbIUi0/SXKAZnZiYTogMQYuMA"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9415 SPECIFIC-THREATS plexus.a smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39272 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"CFzisjUEyJsg4LLn9YPllwezsmCH/FoLDp8ttt5rlq2cy18Y2O3lemS1iy+B35D9veT2X3ys|0D 0A|6mupMisPtw82NJQBvU4U30nV3kdI4KNtHjiz9AUOmU+oQYcw9M3v9pJHb2MNmFxxkYvyqDWc"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9416 SPECIFIC-THREATS bagle.at smtp propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41539 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl|0D 0A|LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9417 SPECIFIC-THREATS bagle.a smtp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:".l|0D 0A|"; within:200; fast_pattern; nocase; pcre:"/^Subject\x3a[^\r\n]*20\d{3,4}\x5f[123]?\d\x2El/mi"; metadata:policy security-ips alert, service smtp; classtype:successful-recon-limited; 9827 SPYWARE-PUT Keylogger paq keylog runtime detection - smtp www3.ca.com/securityadvisor/pest/pest.aspx?id=453098520 21931 attempted-user 2007-0033 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"VEVENT"; nocase; content:"DTSTART|3B|TZID"; fast_pattern:only; pcre:"/DTSTART\x3BTZID(?![=\x22])/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 9841 SMTP Microsoft Outlook VEVENT overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-003.mspx 225 Server / Mail / SMTP 22581 attempted-user 2007-0898 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Message/Partial"; fast_pattern:only; pcre:"/Content-Type\s*\x3a\s*Message\x2fPartial/smi"; pcre:"/id\s*=\s*[\x22\x27]?[^\x22\x27\n]*..[\x2f\x5c]/smi"; metadata:service smtp; classtype:attempted-user; 10186 SMTP ClamAV mime parsing directory traversal labs.idefense.com/intelligence/vulnerabilities/display.php?id=476 15067 attempted-admin 2005-1987 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"|0D 0A|DATA|0D 0A|"; pcre:"/\r\n\w{200,}\x3a.*\r\n/"; classtype:attempted-admin; 12423 SMTP Microsoft CDO long header name www.microsoft.com/technet/security/bulletin/ms05-048.mspx attempted-admin 2006-4379 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|12692; 12692 SMTP RCPT TO IPSwitch proxy overflow attempt www.ipswitch.com/support/imail/releases/im20061.asp 26175 attempted-user 2007-5910 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"<MIFFile"; fast_pattern:only; content:"|23|"; isdataat:76,relative; content:!"|0A|"; within:76; classtype:attempted-user; 12704 SMTP Lotus Notes MIF viewer MIFFILE comment overflow 26175 attempted-user 2007-5910 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"MIFFile"; fast_pattern:only; pcre:"/\x3D[^\s\n]{88}/si"; classtype:attempted-user; 12705 SMTP Lotus Notes MIF viewer statement overflow 26175 attempted-user 2007-5910 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"MIFFile"; fast_pattern:only; pcre:"/\x3C[^\s]+\s[^\x3c\x3E]{80}/si"; classtype:attempted-user; 12706 SMTP Lotus Notes MIF viewer statement data overflow successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"thread-index|3A| Acio"; nocase; content:"Subject|3A| Email from Family Cyber Alert"; fast_pattern:only; classtype:successful-recon-limited; 13651 SPYWARE-PUT Keylogger family cyber alert runtime detection - smtp traffic for recorded activities www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453117297 attempted-recon 1999-0531 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:service smtp; classtype:attempted-recon; 1446 SMTP vrfy root misc-attack 1999-1200 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"expn"; fast_pattern:only; content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:service smtp; classtype:misc-attack; 1450 SMTP expn *@ 7515 attempted-admin 2000-0490 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; metadata:service smtp; classtype:attempted-admin; 1550 SMTP ETRN overflow attempt 10438 16742 attempted-admin 2006-0559 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25[npd]/smi"; classtype:attempted-admin; 17224 SMTP McAfee WebShield SMTP bounce message format string attempt 16396 attempted-user 2005-4411 tcp $EXTERNAL_NET any -> $HOME_NET 105 flow:to_server,established,no_stream; isdataat:527; classtype:attempted-user; 17283 SMTP Mercury Mail Transport System Buffer Overflow attempt 6991 attempted-admin 2002-1337 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; metadata:service smtp; classtype:attempted-admin; 2087 SMTP From comment overflow attempt www.kb.cert.org/vuls/id/398025 suspicious-login tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; detection_filter:track by_dst, count 5, seconds 60; metadata:service smtp; classtype:suspicious-login; 2275 SMTP AUTH LOGON brute force attempt 9758 attempted-user 2004-0333 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:service smtp; classtype:attempted-user; 2487 SMTP WinZip MIME content-type buffer overflow 12621 9758 attempted-user 2004-0333 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:service smtp; classtype:attempted-user; 2488 SMTP WinZip MIME content-disposition buffer overflow 12621 10115 attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; metadata:service smtp; classtype:attempted-dos; 2504 SMTP SSLv3 invalid data version attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10116 attempted-admin 2003-0719 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; metadata:service smtp; classtype:attempted-admin; 2528 SMTP PCT Client_Hello overflow attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10115 attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; metadata:service smtp; classtype:attempted-dos; 2541 SMTP TLS SSLv3 invalid data version attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx attempted-dos 2004-0120 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; metadata:service smtp; classtype:attempted-dos; 2544 SMTP SSLv3 invalid Client_Hello attempt 12204 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10116 attempted-admin 2003-0719 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; metadata:service smtp; classtype:attempted-admin; 3511 SMTP PCT Client_Hello overflow attempt www.microsoft.com/technet/security/bulletin/MS04-011.mspx 11238 attempted-user 2004-1546 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"SAML"; nocase; isdataat:246,relative; pcre:"/^\s*SAML\s+[^\n]{246}/smi"; metadata:service smtp; classtype:attempted-user; 3653 SMTP SAML overflow attempt 11238 attempted-user 2004-1546 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"SOML"; nocase; isdataat:246,relative; pcre:"/^\s*SOML\s+[^\n]{246}/smi"; metadata:service smtp; classtype:attempted-user; 3654 SMTP SOML overflow attempt 11238 attempted-user 2004-1546 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"SEND"; nocase; isdataat:246,relative; pcre:"/^\s*SEND\s+[^\n]{246}/smi"; metadata:service smtp; classtype:attempted-user; 3655 SMTP SEND overflow attempt 11238 attempted-user 2004-1546 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"MAIL"; nocase; isdataat:246,relative; pcre:"/^\s*MAIL\s+[^\n]{246}/smi"; metadata:service smtp; classtype:attempted-user; 3656 SMTP MDaemon 6.5.1 and prior versions MAIL overflow attempt 2524 attempted-admin 2001-0154 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"audio/"; fast_pattern:only; pcre:"/Content-Type\x3A\s+audio\/(x-wav|mpeg|x-midi).*filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/smi"; metadata:service smtp; classtype:attempted-admin; 3682 SMTP spoofed MIME-Type auto-execution attempt www.microsoft.com/technet/security/bulletin/MS01-020.mspx 13772 attempted-admin 2007-4440 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"AUTH"; nocase; isdataat:128,relative; pcre:"/^AUTH\s+\S+\s+[^\n]{128}/mi"; metadata:service smtp; classtype:attempted-admin; 3824 SMTP AUTH user overflow attempt 17192 bad-unknown 2006-0058 tcp $HOME_NET 25 -> $EXTERNAL_NET any flow:to_client,established; content:"552"; content:"Headers"; fast_pattern:only; pcre:"/^552[A-Z0-9\s\x5F\x2D\x2E\x28\x29\x22\x27]+Headers\s+too\s+large/smi"; metadata:service smtp; classtype:bad-unknown; 5739 SMTP headers too long server response protocol-command-decode 1999-0531 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; fast_pattern:only; metadata:service smtp; classtype:protocol-command-decode; 631 SMTP ehlo cybercop attempt protocol-command-decode 1999-0531 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"expn cybercop"; fast_pattern:only; metadata:service smtp; classtype:protocol-command-decode; 632 SMTP expn cybercop attempt 17459 misc-activity 2006-2386 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:service smtp; classtype:misc-activity; 6412 SMTP Windows Address Book attachment detected www.microsoft.com/technet/security/bulletin/ms06-076.mspx 17459 misc-activity 2006-2386 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"base64"; distance:0; nocase; content:"nMvLjRN10hGRWADAT3lWpA"; distance:0; pcre:"/^Content-Transfer-Encoding\s*\x3A\s*base64/smi"; metadata:service smtp; classtype:misc-activity; 6413 SMTP Base64 encoded Windows Address Book attachment detected www.microsoft.com/technet/security/bulletin/ms06-076.mspx 2387 attempted-admin 1999-0261 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:service smtp; classtype:attempted-admin; 657 SMTP chameleon overflow attempted-recon 1999-0096 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"expn"; nocase; content:"decode"; fast_pattern:only; pcre:"/^expn\s+decode/smi"; metadata:service smtp; classtype:attempted-recon; 659 SMTP expn decode 10248 attempted-recon 1999-0531 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern:only; pcre:"/^expn\s+root/smi"; metadata:service smtp; classtype:attempted-recon; 660 SMTP expn root 10249 2310 attempted-admin 1999-0207 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; fast_pattern:only; metadata:service smtp; classtype:attempted-admin; 661 SMTP majordomo ifs 1 attempted-admin 1999-0095 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"rcpt to|3A|"; fast_pattern:only; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp; classtype:attempted-admin; 663 SMTP rcpt to command attempt 2308 attempted-admin 1999-0203 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; metadata:service smtp; classtype:attempted-admin; 664 SMTP RCPT TO decode attempt attempted-recon 1999-0096 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; metadata:service smtp; classtype:attempted-recon; 672 SMTP vrfy decode 22083 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:service smtp; classtype:attempted-admin; 8432 SMTP SSLv2 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 22083 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:service smtp; classtype:attempted-admin; 8433 SMTP SSLv2 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 25831 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:service smtp; classtype:attempted-admin; 8434 SMTP SSLv3 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 25831 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:service smtp; classtype:attempted-admin; 8435 SMTP SSLv3 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 22083 attempted-admin 2007-5135 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; metadata:service smtp; classtype:attempted-admin; 8436 SMTP SSLv2 openssl get shared ciphers overflow attempt www.openssl.org/news/secadv_20060928.txt 11256 attempted-admin 2004-1558 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; flowbits:isset,ypops.banner; flowbits:unset,ypops.banner; pcre:"/[^\x0d\x00\x0a]{509}/"; metadata:service smtp; classtype:attempted-admin; 8705 SMTP YPOPS buffer overflow attempt 230 Server / Database attempted-admin 2008-0107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,backup_file.request; metadata: engine shared, soid 3|13888, policy balanced-ips drop, policy security-ips drop; 13888 SQL Microsoft SQL Server Backup Database File integer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-040.mspx attempted-admin 2008-0107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,backup_file.request; metadata: engine shared, soid 3|13889, policy balanced-ips drop, policy security-ips drop; 13889 SQL Microsoft SQL Server Backup Database File integer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-040.mspx attempted-admin 2008-0107 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,backup_file.request; metadata: engine shared, soid 3|13890, policy balanced-ips drop, policy security-ips drop; 13890 SQL Microsoft SQL Server Backup Database File integer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-040.mspx 31129 attempted-user 2008-4110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FC13BAA2-9C1A-4069-A221-31A147636038"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q16>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q16)(\s|>).*(?P=id1)\s*\.\s*(Connect)|<object\s*[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FC13BAA2-9C1A-4069-A221-31A147636038\s*}?\s*(?P=q17)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(Connect))/Osi"; metadata:policy balanced-ips drop, policy security-ips alert, service http; classtype:attempted-user; 14756 WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX clsid access 31129 attempted-user 2008-4110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|C|00|1|00|3|00|B|00|A|00|A|00|2|00|-|00|9|00|C|00|1|00|A|00|-|00|4|00|0|00|6|00|9|00|-|00|A|00|2|00|2|00|1|00|-|00|3|00|1|00|A|00|1|00|4|00|7|00|6|00|3|00|6|00|0|00|3|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q18>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00C\x001\x003\x00B\x00A\x00A\x002\x00-\x009\x00C\x001\x00A\x00-\x004\x000\x006\x009\x00-\x00A\x002\x002\x001\x00-\x003\x001\x00A\x001\x004\x007\x006\x003\x006\x000\x003\x008\x00(}\x00)?(?P=q18)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14757 WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX clsid unicode access 31129 attempted-user 2008-4110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SQLVDir.SQLVDirControl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22SQLVDir\.SQLVDirControl\x22|\x27SQLVDir\.SQLVDirControl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Connect\s*|.*(?P=v)\s*\.\s*Connect\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SQLVDir\.SQLVDirControl\x22|\x27SQLVDir\.SQLVDirControl\x27)\s*\)(\s*\.\s*Connect\s*|.*(?P=n)\s*\.\s*Connect\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14758 WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX function call access 31129 attempted-user 2008-4110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|Q|00|L|00|V|00|D|00|i|00|r|00|.|00|S|00|Q|00|L|00|V|00|D|00|i|00|r|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q19>\x22|\x27|)S\x00Q\x00L\x00V\x00D\x00i\x00r\x00.\x00S\x00Q\x00L\x00V\x00D\x00i\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q19)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q20>\x22|\x27|)S\x00Q\x00L\x00V\x00D\x00i\x00r\x00.\x00S\x00Q\x00L\x00V\x00D\x00i\x00r\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q20)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14759 WEB-ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX function call unicode access attempted-admin 2008-0086 tcp $EXTERNAL_NET any -> $HOME_NET 1433 flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00| |00|C|00|O|00|N|00|V|00|E|00|R|00|T|00 28 00|v|00|a|00|r|00|c|00|h|00|a|00|r|00|,|00|c|00|r|00|e|00|a|00|t|00|e|00|d|00|a|00|t|00|e|00|,|00|1|00|2|00|3|00|4|00|5|00|6|00|7|00|8|00|9|00|0|00 29 00| |00|F|00|R|00|O|00|M|00| |00|s|00|y|00|s|00|u|00|s|00|e|00|r|00|s"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 16073 SPECIFIC-THREATS MS-SQL convert function unicode overflow www.microsoft.com/technet/security/bulletin/MS08-040.mspx policy-violation 2008-0106 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"ansi_padding"; pcre:"/set\s+ansi_padding\s+off/smi"; metadata:policy security-ips drop; classtype:policy-violation; 16074 MS-SQL Suspicious SQL ansi_padding option msdn.microsoft.com/en-us/library/ms187403.aspx 25594 attempted-user 2007-4814 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<object classid='clsid|3A|10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' />"; nocase; content:"progid=|22|SQLDMO.SQLServer|22|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16208 WEB-CLIENT Microsoft SQL Server Distributed Management Objects overflow attempt 231 Server / Database / Microsoft 5411 attempted-admin 2002-1123 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433:1500 flow:to_server,established; isdataat:514; content:"|12 01|"; depth:2; content:!"|00|"; within:512; distance:35; classtype:attempted-admin; 11264 SQL Microsoft SQL Server 2000 Server hello buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS02-056.mspx 14453 attempted-admin 2005-1272 tcp $EXTERNAL_NET any -> $HOME_NET 6070 flow:to_server,established; isdataat:1000; content:"ABCDAAAA"; classtype:attempted-admin; 11683 SPECIFIC-THREATS CA BrightStor Agent for Microsoft SQL overflow attempt 25594 attempted-user 2007-4814 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"10020200-E260-11CF-AE68-00AA004A34D5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*10020200-E260-11CF-AE68-00AA004A34D5\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(Start)|<object\s*[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*10020200-E260-11CF-AE68-00AA004A34D5\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(Start))\s*\(/si"; classtype:attempted-user; 12444 WEB-ACTIVEX Microsoft SQL Server Distributed Management Objects ActiveX clsid access 25594 attempted-user 2007-4814 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|0|00|0|00|2|00|0|00|2|00|0|00|0|00|-|00|E|00|2|00|6|00|0|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|E|00|6|00|8|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|A|00|3|00|4|00|D|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q11>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q11)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12445 WEB-ACTIVEX Microsoft SQL Server Distributed Management Objects ActiveX clsid unicode access 25594 attempted-user 2007-4814 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SQLDMO.SQLServer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22SQLDMO\.SQLServer\x22|\x27SQLDMO\.SQLServer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Start\s*|.*(?P=v)\s*\.\s*Start\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SQLDMO\.SQLServer\x22|\x27SQLDMO\.SQLServer\x27)\s*\)(\s*\.\s*Start\s*|.*(?P=n)\s*\.\s*Start\s*)\s*\(/smi"; classtype:attempted-user; 12446 WEB-ACTIVEX Microsoft SQL Server Distributed Management Objects ActiveX function call access 25594 attempted-user 2007-4814 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|Q|00|L|00|D|00|M|00|O|00|.|00|S|00|Q|00|L|00|S|00|e|00|r|00|v|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q12>\x22|\x27|)S\x00Q\x00L\x00D\x00M\x00O\x00.\x00S\x00Q\x00L\x00S\x00e\x00r\x00v\x00e\x00r\x00(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q13>\x22|\x27|)S\x00Q\x00L\x00D\x00M\x00O\x00.\x00S\x00Q\x00L\x00S\x00e\x00r\x00v\x00e\x00r\x00(?P=q13)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12447 WEB-ACTIVEX Microsoft SQL Server Distributed Management Objects ActiveX function call unicode access misc-activity 2008-0085 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"TAPE"; content:"|00 12|"; within:2; distance:82; classtype:misc-activity; 13896 SQL Microsoft SQL server MTF file download www.microsoft.com/technet/security/bulletin/ms08-040.mspx policy-violation 2008-0106 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server, established; content:"i|00|n|00|s|00|e|00|r|00|t|00 20 00|i|00|n|00|t|00|o|00 20 00|m|00|y|00|t|00|a|00|b|00|l|00|e|00 20 00|v|00|a|00|l|00|u|00|e|00|s|00 20 00 28 00|n|00|u|00|l|00|l|00 29|"; classtype:policy-violation; 17307 SPECIFIC-THREATS MS SQL Server INSERT Statement Buffer Overflow attempt 232 Server / Database / Oracle 27140 attempted-admin 2008-0226 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|01|"; content:"|03 01|"; within:2; distance:3; byte_jump:1,32,relative; byte_test:2,>,64,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13593 SQL MySQL yaSSL SSL Hello Message Buffer Overflow attempt bugs.mysql.com/bug.php?id=33814 protocol-command-decode tcp $HOME_NET 3306 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; 13709 MYSQL yaSSL SSLv2 Server_Hello request protocol-command-decode tcp $HOME_NET 3306 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; 13710 MYSQL yaSSL TLSv1 Server_Hello request 27140 attempted-user 2008-0226 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:established,to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:6; byte_test:2,>,64,9; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy security-ips drop, service mysql; classtype:attempted-user; 13711 MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt bugs.mysql.com/bug.php?id=33814 27140 attempted-user 2008-0226 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:established,to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:6; byte_test:2,>,32,11; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy security-ips drop, service mysql; classtype:attempted-user; 13712 MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt bugs.mysql.com/bug.php?id=33814 27140 attempted-user 2008-0226 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:established,to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:6; byte_test:2,>,32,13; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy security-ips drop, service mysql; classtype:attempted-user; 13713 MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt bugs.mysql.com/bug.php?id=33814 27140 attempted-user 2008-0226 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:established,to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; content:"|01|"; within:1; distance:2; content:"|03 01|"; within:2; distance:3; byte_jump:1,32,relative; byte_test:2,>,64,0,relative; metadata:policy security-ips drop, service mysql; classtype:attempted-user; 13714 MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt bugs.mysql.com/bug.php?id=33814 33972 attempted-dos 2009-0819 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|03|"; depth:1; offset:4; content:"SELECT"; distance:0; nocase; content:"ExtractValue"; distance:1; nocase; pcre:"/^.{4}\x03\s*SELECT\s+ExtractValue\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x29/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:attempted-dos; 15442 MYSQL XML Functions ExtractValue Scalar XPath denial of service attempt secunia.com/advisories/34115 33972 attempted-dos 2009-0819 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|03|"; depth:1; offset:4; content:"SELECT"; distance:0; nocase; content:"UpdateXML"; distance:1; nocase; pcre:"/^.{4}\x03\s*SELECT\s+UpdateXML\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x2c.*?\x29/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:attempted-dos; 15443 MYSQL XML Functions UpdateXML Scalar XPath denial of service attempt secunia.com/advisories/34115 12781 attempted-user 2005-0709 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|03|create function"; depth:16; offset:4; content:"libc.so"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 15952 MYSQL create function libc arbitrary code execution attempt 17780 misc-activity 2006-1516 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|01 0D A6 03 00 00 00 00 01 08|"; metadata:policy security-ips drop; classtype:misc-activity; 16020 SPECIFIC-THREATS MySQL login handshake information disclosure attempt attempted-dos 2009-4019 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"'|00 00 00 03|select * from `v1` procedure analyse|28 29|"; depth:43; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:attempted-dos; 16348 SPECIFIC-THREATS Sun MySQL database PROCEDURE ANALYSE denial of service attempt - 1 dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html attempted-dos 2009-4019 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:",|00 00 00 03|select * from `theview` procedure analyse|28 29|"; depth:48; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:attempted-dos; 16349 SPECIFIC-THREATS Sun MySQL database Procedure Analyse denial of service attempt - 2 dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html 37640 attempted-user 2009-4484 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|0B|"; within:1; distance:2; content:"*|86 00 84 00 00 04|>"; within:8; distance:56; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:attempted-user; 16385 MYSQL yaSSL library cert parsing stack overflow attempt 12781 attempted-user 2005-0710 tcp $EXTERNAL_NET any -> $HOME_NET 3306 flow:to_server,established; content:"|03|"; depth:5; content:"mysql.func"; distance:0; nocase; pcre:"/(INSERT|UPDATE)\s*[\s\w]*((mysql\.)?func)[^\r\n]+values\s*\([^\)]+\x2c[\x22\x27][^\x22\x27]*\x2f/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17412 MYSQL CREATE FUNCTION mysql.func Arbitrary Library Injection attempt 10655 attempted-user 2004-0627 tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any flow:from_server,established; content:"|00|"; depth:1; offset:3; flowbits:set,mysql.server_greeting; flowbits:noalert; classtype:attempted-user; 3665 MYSQL server greeting 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 233 Server / Database / MySQL 17780 attempted-admin 2006-1517 tcp $EXTERNAL_NET any -> $HOME_NET 3306 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|11619; 11619 MISC MySQL COM_TABLE_DUMP Function Stack Overflow attempt www.wisec.it/vulns.php?page=8 2198 web-application-activity 2001-1044 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/class/mysql.class"; http_uri; metadata:service http; classtype:web-application-activity; 1527 WEB-MISC basilix mysql.class access 10601 13368 attempted-user 2005-0684 tcp $EXTERNAL_NET any -> $HOME_NET 9999 flow:to_server,established; content:"GET /%AAAAAAAA"; depth:14; metadata:service http; classtype:attempted-user; 15951 SPECIFIC-THREATS MySQL MaxDB Webtool GET command overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; fast_pattern:only; metadata:service mysql; classtype:protocol-command-decode; 1775 MYSQL root login attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; content:"|0F 00 00 00 03|show databases"; fast_pattern:only; metadata:service mysql; classtype:protocol-command-decode; 1776 MYSQL show databases attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; content:"|01|"; depth:1; offset:3; content:"root|00|"; within:5; distance:5; nocase; metadata:service mysql; classtype:protocol-command-decode; 3456 MYSQL 4.0 root login attempt 12265 web-application-attack 2005-0111 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"websql?logon"; nocase; content:"wqPassword="; distance:0; nocase; pcre:"/wqPassword=[^\r\n\x26]{294}/i"; metadata:service http; classtype:web-application-attack; 3518 WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow www.osvdb.org/displayvuln.php?osvdb_id=12919 12265 web-application-attack 2005-0111 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9999 flow:to_server,established; content:"websql?logon"; nocase; content:"wqPassword="; distance:0; nocase; pcre:"/wqPassword=[^\r\n\x26]{294}/i"; metadata:service http; classtype:web-application-attack; 3519 WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port www.osvdb.org/displayvuln.php?osvdb_id=12919 12781 misc-activity 2005-0709 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function/smi"; metadata:service mysql; classtype:misc-activity; 3528 MYSQL create function access attempt 10655 attempted-user 2004-0627 tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any flow:from_server,established; byte_test:1,>,0,3; flowbits:isset,mysql.server_greeting; flowbits:unset,mysql.server_greeting; flowbits:noalert; classtype:attempted-user; 3666 MYSQL server greeting finished 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 10655 misc-attack 2004-0627 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14 00|"; offset:36; metadata:service mysql; classtype:misc-attack; 3667 MYSQL protocol 41 client authentication bypass attempt 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 10655 misc-attack 2004-0627 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00|"; offset:9; metadata:service mysql; classtype:misc-attack; 3668 MYSQL client authentication bypass attempt 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 10655 misc-attack 2004-0627 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; classtype:misc-attack; 3669 MYSQL protocol 41 secure client overflow attempt 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 10655 misc-attack 2004-0627 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; classtype:misc-attack; 3670 MYSQL secure client overflow attempt 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 10655 misc-attack 2004-0627 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,&,0x02,4; content:"|00|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; classtype:misc-attack; 3671 MYSQL protocol 41 client overflow attempt 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 10655 misc-attack 2004-0627 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,!&,0x02,4; content:"|00|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; classtype:misc-attack; 3672 MYSQL client overflow attempt 12639 www.nextgenss.com/advisories/mysql-authbypass.txt 14509 misc-activity 2005-2558 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function\s+\S{50}/smi"; metadata:service mysql; classtype:misc-activity; 4649 MYSQL create function buffer overflow attempt 1557 web-application-attack 2000-0707 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; metadata:service http; classtype:web-application-attack; 509 WEB-MISC PCCS mysql database admin tool access 10783 19032 attempted-dos 2006-3469 tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 flow:to_server,established; content:"DATE_FORMAT"; pcre:"/DATE_FORMAT\x28\s*(\x22[^\x22]+\x25[^\x22]*\x22|\x27[^\x27]+\x25[^\x27]*\x27)/smi"; metadata:service mysql; classtype:attempted-dos; 8057 MYSQL Date_Format denial of service attempt dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html 34461 attempted-admin 2009-0977 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"SYS.DBMS_AQADM_SYS.GRANT_TYPE_ACCESS"; nocase; pcre:"/SYS\x2eDBMS\x5fAQADM\x5fSYS\x2eGRANT\x5fTYPE\x5fACCESS\s*\x28\s*\x27[^\x2c\x20\x27]*[\x2c\x20]/is"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 11204 ORACLE Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL injection attempt www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html 24585 attempted-admin 2007-3338 tcp $EXTERNAL_NET any -> $HOME_NET 21064 flow:to_server,established; content:"uuid_from_char"; fast_pattern:only; pcre:"/uuid_from_char\s*\(\s*(\x22|\x27)[^\1]{37}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 12027 SQL Ingres Database uuid_from_char buffer overflow attempt www.ngssoftware.com/advisories/high-risk-vulnerability-in-ingres-stack-overflow 27206 attempted-admin 2008-0244 tcp $EXTERNAL_NET any -> $SQL_SERVERS 7210 flow:established,to_server; content:"exec_sdbinfo"; fast_pattern:only; pcre:"/exec_sdbinfo\s+[\x26\x3b\x7c\x3e\x3c]/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13356 SQL SAP MaxDB shell command injection attempt 26098 attempted-admin 2007-5511 tcp $EXTERNAL_NET any -> $HOME_NET 1521 flow:to_server,established; content:"SYS.LT.FINDRICSET"; nocase; content:"''|7C 7C|"; distance:0; pcre:"/SYS.LT.FINDRICSET\([^,\)]*\'\'\|\|/si"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13366 ORACLE Oracle database SYS.LT.FINDRICSET SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"exec"; fast_pattern; nocase; http_uri; pcre:"/exec\s+master/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 13512 SQL generic sql exec injection attempt - GET parameter www.securiteam.com/securityreviews/5DP0N1P76E.html web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"insert"; fast_pattern; nocase; http_uri; pcre:"/insert\s+into\s+[^\/\\]+/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 13513 SQL generic sql insert injection atttempt - GET parameter www.securiteam.com/securityreviews/5DP0N1P76E.html 27229 attempted-admin 2008-0339 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"XDB.XDB_PITRIG_PKG.PITRIG_"; nocase; pcre:"/XDB\x2EXDB_PITRIG_PKG\x2EPITRIG_(DROP|TRUNCATE)\s*\x28[^\x29]*\x27[^\x27]*\x22/smi"; metadata:policy security-ips drop; classtype:attempted-admin; 13551 ORACLE Oracle XDB.XDB_PITRIG_PKG sql injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"CAST|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:policy security-ips drop, service http; classtype:web-application-attack; 13791 SQL oversized cast statement - possible sql injection obfuscation isc.sans.org/diary.html?storyid=3823 web-application-attack 2008-2991 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"Help_Errors.asp"; nocase; http_uri; pcre:"/\x26r0\x3d\d*[^\x26\s\d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 13928 SPECIFIC-THREATS Adobe RoboHelp r0 SQL injection attempt web-application-attack 2008-2991 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"Top_Unanswered_Customer_Questions.asp"; nocase; http_uri; pcre:"/\x26r\d\x3d[^\x26\s]*\x27/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 13929 WEB-MISC Adobe RoboHelp rx SQL injection attempt web-application-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"CONVERT|28|"; nocase; isdataat:250,relative; content:!"|29|"; within:250; metadata:policy security-ips drop, service http; classtype:web-application-attack; 13987 SQL oversized convert statement - possible sql injection obfuscation isc.sans.org/diary.html?storyid=3823 web-application-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"ASCII|28|"; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; content:"ASCII|28|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; 13988 SQL large number of calls to ascii function - possible sql injection obfuscation isc.sans.org/diary.html?storyid=3823 misc-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"union"; fast_pattern; nocase; http_uri; content:"select"; nocase; http_uri; pcre:"/union\s+select\s+[^\/\\]+from\s+[^\/\\]+/Ui"; metadata:policy security-ips drop, service http; classtype:misc-attack; 13990 SQL union select - possible sql injection attempt - GET parameter web-application-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"CONCAT|28|"; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; content:"CONCAT|28|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; 14008 SQL large number of calls to concat function - possible sql injection obfuscation isc.sans.org/diary.html?storyid=3823 29601 attempted-user 2008-3854 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:to_server,established; content:"xmlquery"; fast_pattern:only; content:"select "; nocase; pcre:"/select\s+xmlquery\s*\x28\s*(\x27|\x22)[^\x27\x22]{512}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:attempted-user; 14991 SQL IBM DB2 Universal Database xmlquery buffer overflow attempt 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15143 SQL sp_replwritetovarbin unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx 32710 attempted-admin 2008-5416 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"sp_replwritetovarbin"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15144 SQL sp_replwritetovarbin vulnerable function attempt www.microsoft.com/technet/security/bulletin/MS09-004.mspx protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 15319 NETBIOS-DG SMB /sql/query create tree attempt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 15320 NETBIOS-DG SMB /sql/query unicode create tree attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 15321 NETBIOS SMB /sql/query create tree attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 15322 NETBIOS SMB /sql/query unicode create tree attempt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 15323 NETBIOS-DG SMB /sql/query andx create tree attempt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-dgm; classtype:protocol-command-decode; 15324 NETBIOS-DG SMB /sql/query unicode andx create tree attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 15325 NETBIOS SMB /sql/query andx create tree attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; 15326 NETBIOS SMB /sql/query unicode andx create tree attempt 34461 attempted-admin 2009-0978 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:".RollbackWorkspace"; nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\s\x2c\x29]/iR"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15515 ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html web-application-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; pcre:"/CHAR\(.*?CHAR\(.*?CHAR\(/smi"; content:"[sysobjects]"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; 15584 SQL char and sysobjects - possible sql injection recon attempt isc.sans.org/diary.html?storyid=3823 31683 attempted-admin 2008-3982 tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] flow:to_server,established; content:"GRAN|FF|T EXECUTE ON VZJSQ TO PUBLIC"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15722 SPECIFIC-THREATS Oracle database server Workspace Manager multiple SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html 31683 attempted-admin 2008-3982 tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] flow:to_server,established; content:".CompressWorkspaceTree"; nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*?\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15723 ORACLE Oracle database server CompressWorkspaceTree SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html 31683 attempted-admin 2008-3982 tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] flow:to_server,established; content:".MergeWorkspace"; nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15724 ORACLE Oracle database server MergeWorkspace SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html 31683 attempted-admin 2008-3982 tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] flow:to_server,established; content:".RemoveWorkspace"; nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15725 ORACLE Oracle database server RemoveWorkspace SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html 29302 attempted-user 2008-2559 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:established,to_server; content:"|00 00 00 01|"; depth:4; byte_jump:4,12,relative,align; content:"|02|"; within:1; distance:8; byte_test:1,>,64,0,relative; metadata:policy security-ips drop; classtype:attempted-user; 15868 SQL Borland InterBase username buffer overflow misc-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"union "; fast_pattern; nocase; http_client_body; content:"select "; nocase; http_client_body; pcre:"/union\s+select\s+[^\/\\]+from\s+[^\/\\]+/Pi"; metadata:policy security-ips drop, service http; classtype:misc-attack; 15874 SQL union select - possible sql injection attempt - POST parameter web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"insert "; fast_pattern; nocase; http_client_body; pcre:"/insert\s+into\s+[^\/\\]+/Pi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 15875 SQL generic sql insert injection atttempt - POST parameter www.securiteam.com/securityreviews/5DP0N1P76E.html web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"update "; fast_pattern; nocase; http_client_body; pcre:"/update\s+[^\/\\]+set\s+[^\/\\]+/Pi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 15876 SQL generic sql update injection attempt - POST parameter www.securiteam.com/securityreviews/5DP0N1P76E.html web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"exec "; fast_pattern; nocase; http_client_body; content:"master "; nocase; http_client_body; pcre:"/exec\s+master/Pi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 15877 SQL generic sql exec injection attempt - POST parameter www.securiteam.com/securityreviews/5DP0N1P76E.html 35842 attempted-dos 2009-2620 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00|5"; depth:4; isdataat:11,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 15896 DOS Firebird SQL op_connect_request denial of service attempt 21303 attempted-admin 2006-4181 udp $EXTERNAL_NET any -> $HOME_NET 1813 flow:to_server; content:"|04|"; depth:1; content:"|01 1A|%n%s%n%s%n%s%n%s%n%s%n%s"; distance:19; metadata:policy security-ips drop, service radius; classtype:attempted-admin; 16049 SPECIFIC-THREATS GNU Radius SQL accounting format string exploit attempt attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"27A3D328-D206-4106-8D33-1AA39B13394B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*27A3D328-D206-4106-8D33-1AA39B13394B\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16159 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 1 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|7|00|A|00|3|00|D|00|3|00|2|00|8|00|-|00|D|00|2|00|0|00|6|00|-|00|4|00|1|00|0|00|6|00|-|00|8|00|D|00|3|00|3|00|-|00|1|00|A|00|A|00|3|00|9|00|B|00|1|00|3|00|3|00|9|00|4|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x007\x00A\x003\x00D\x003\x002\x008\x00-\x00D\x002\x000\x006\x00-\x004\x001\x000\x006\x00-\x008\x00D\x003\x003\x00-\x001\x00A\x00A\x003\x009\x00B\x001\x003\x003\x009\x004\x00B\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16160 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 1 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DB640C86-731C-484A-AAAF-750656C9187D"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DB640C86-731C-484A-AAAF-750656C9187D\s*}?\s*(?P=q3)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16161 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 2 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|B|00|6|00|4|00|0|00|C|00|8|00|6|00|-|00|7|00|3|00|1|00|C|00|-|00|4|00|8|00|4|00|A|00|-|00|A|00|A|00|A|00|F|00|-|00|7|00|5|00|0|00|6|00|5|00|6|00|C|00|9|00|1|00|8|00|7|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q4>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00B\x006\x004\x000\x00C\x008\x006\x00-\x007\x003\x001\x00C\x00-\x004\x008\x004\x00A\x00-\x00A\x00A\x00A\x00F\x00-\x007\x005\x000\x006\x005\x006\x00C\x009\x001\x008\x007\x00D\x00(}\x00)?(?P=q4)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16162 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 2 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"15721a53-8448-4731-8bfc-ed11e128e444"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*15721a53-8448-4731-8bfc-ed11e128e444\s*}?\s*(?P=q5)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16163 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 3 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|5|00|7|00|2|00|1|00|a|00|5|00|3|00|-|00|8|00|4|00|4|00|8|00|-|00|4|00|7|00|3|00|1|00|-|00|8|00|b|00|f|00|c|00|-|00|e|00|d|00|1|00|1|00|e|00|1|00|2|00|8|00|e|00|4|00|4|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q6>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x005\x007\x002\x001\x00a\x005\x003\x00-\x008\x004\x004\x008\x00-\x004\x007\x003\x001\x00-\x008\x00b\x00f\x00c\x00-\x00e\x00d\x001\x001\x00e\x001\x002\x008\x00e\x004\x004\x004\x00(}\x00)?(?P=q6)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16164 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 3 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3267123E-530D-4E73-9DA7-79F01D86A89F"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3267123E-530D-4E73-9DA7-79F01D86A89F\s*}?\s*(?P=q7)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16165 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 4 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx attempted-user 2009-2493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|2|00|6|00|7|00|1|00|2|00|3|00|E|00|-|00|5|00|3|00|0|00|D|00|-|00|4|00|E|00|7|00|3|00|-|00|9|00|D|00|A|00|7|00|-|00|7|00|9|00|F|00|0|00|1|00|D|00|8|00|6|00|A|00|8|00|9|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x002\x006\x007\x001\x002\x003\x00E\x00-\x005\x003\x000\x00D\x00-\x004\x00E\x007\x003\x00-\x009\x00D\x00A\x007\x00-\x007\x009\x00F\x000\x001\x00D\x008\x006\x00A\x008\x009\x00F\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16166 WEB-ACTIVEX Microsoft Excel Add-in for SQL Analysis Services 4 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-072.mspx 35685 attempted-admin 2009-1021 tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] flow:to_server,established; content:"DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC"; nocase; pcre:"/^\s*\x28[^\x2c]+\x2c[^\x2c]+?\x3b/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 16189 ORACLE Oracle Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html 36748 attempted-admin 2009-1991 tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] flow:to_server,established; content:"ctxsys.drvxtabc.create_tables"; nocase; pcre:"/^\s*\x28\s*(\x27[^\x27\x22]*\x27\s*\x2c\s*)?\x27[^\x27\x22]*\x22/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 16290 ORACLE Oracle database server CREATE_TABLES SQL injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html denial-of-service 2009-0173 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:to_server,established; content:"|24 14|"; content:"|D0|"; within:1; distance:-8; byte_test:1, &, 4, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:denial-of-service; 16364 DOS IBM DB2 database server SQLSTT denial of service attempt 32189 attempted-user 2008-6510 tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] flow:to_server, established; content:"sipark-log-summary.j"; nocase; http_uri; pcre:"/sipark-log-summary\.jsp\?(username|numa(a|b)|type)[^\s]*\s/Umi"; metadata:policy security-ips drop; classtype:attempted-user; 16513 SQL Jive Software Openfire Jabber Server SQL injection attempt 33722 attempted-admin 2009-0542 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server, established; content:"USER"; fast_pattern:only; pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp; classtype:attempted-admin; 16524 FTP ProFTPD username sql injection attempt 39422 attempted-user 2010-0870 tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS flow:to_server,established; content:"DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE"; nocase; pcre:"/^\s*\x28\s*[^\x29\x2C]*?\x27\x27/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16722 ORACLE Oracle Database Server DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE procedure SQL injection attempt 39422 attempted-user 2010-0870 tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS flow:to_server,established; content:"DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE"; nocase; pcre:"/^\s*\x28[^\x29\x2C]*?\x27\x27/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16723 ORACLE Oracle Database Server DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE procedure SQL injection attempt attempted-user 2010-2772 tcp any any -> $SQL_SERVERS 1433 flow:to_server,established; content:"WinCCConnect"; content:"2WSXcder"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17044 SQL WinCC DB default password security bypass attempt support.automation.siemens.com/WW/view/en/43876783 37976 attempted-admin 2010-0462 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:to_server, established; content:" REPEAT|28|"; nocase; content:","; distance:0; byte_test:10,>,1000,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17209 SQL IBM DB2 DATABASE SERVER SQL REPEAT Buffer Overflow attempted-user 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"SYS.DBMS_METADATA.GET_DDL|28 27 27 27 7C 7C|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17270 ORACLE DBMS_METADATA Package SQL Injection attempt attempted-user 2007-3855 tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS flow:to_server, established; flowbits:isset, oracle.connect; content:"create view"; fast_pattern; nocase; content:"as select"; distance:0; nocase; content:"from sys."; distance:0; nocase; pcre:"/create view\s*[^\s]*\s*as select\s+([^\x2e]+)\x2e.*\1\x2E.*from sys\x2E[^\s]*\s*\1\x2C\s*sys\x2E[^\s]*\s*([^\s]+)\s*where\s*\1\x2e[^\s\x3D]+\s*\x3D\s*\2\x2E/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17419 ORACLE Oracle database SQL compiler read-only join auth bypass attempt 15220 web-application-attack 2005-3315 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server, established; content:"/packages/default.asp?"; nocase; http_uri; pcre:"/sort\x3d[^\s]*\x3b+/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 17449 WEB-MISC Novell ZENworks patch management SQL injection attempt 19203 misc-attack tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_ASSERT.simple_sql_name|28|"; fast_pattern:only; nocase; pcre:"/DBMS_ASSERT\x2Esimple_sql_name\x28[^\x29\x22]*?\x22/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17590 ORACLE DBMS_ASSERT.simple_sql_name double quote SQL injection attempt 4797 unsuccessful-user 2000-1209 tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any flow:from_server,established; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:unsuccessful-user; 688 SQL sa login failed 10673 234 Server / Database / Common SQL web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"ftp.exe"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 1057 SQL ftp attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_enumdsn"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1058 SQL xp_enumdsn attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_filelist"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1059 SQL xp_filelist attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_availablemedia"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1060 SQL xp_availablemedia attempt 5309 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_cmdshell"; fast_pattern:only; metadata:service http; classtype:web-application-attack; 1061 SQL xp_cmdshell attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_regread"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 1069 SQL xp_regread attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/samples/search/queryhit.htm"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1077 SQL queryhit.htm access 10370 267 web-application-activity 1999-1030 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/counter.exe"; fast_pattern; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1078 SQL counter.exe access 9484 web-application-attack 2004-2115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"action="; nocase; http_uri; pcre:"/action(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui"; metadata:service http; classtype:web-application-attack; 11193 WEB-MISC Oracle iSQL Plus cross site scripting attempt 9484 web-application-attack 2004-2115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"username="; nocase; http_uri; pcre:"/username(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui"; metadata:service http; classtype:web-application-attack; 11194 WEB-MISC Oracle iSQL Plus cross site scripting attempt 16452 attempted-admin 2006-0522 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"/servlet/Sygate.Servlet.login"; nocase; http_uri; pcre:"/[^\x26\x20\x0a]*insert[^\x26\x20\x0a]*Login[^\x26\x20\x0a]*Admin/smi"; metadata:service http; classtype:attempted-admin; 11616 WEB-MISC Symantec Sygate Policy Manager SQL injection 9484 web-application-attack 2004-2115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"password="; nocase; http_uri; pcre:"/password(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui"; metadata:service http; classtype:web-application-attack; 11685 WEB-MISC Oracle iSQL Plus cross site scripting attempt attempted-user 2007-3181 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00 01|"; depth:4; byte_jump:4,12,big,relative; byte_test:2,>,10,1,big,relative; classtype:attempted-user; 12009 SQL Firebird SQL Fbserver buffer overflow attempt 9484 web-application-attack 2004-2115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7779 flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"username="; nocase; http_uri; pcre:"/username(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui"; metadata:service http; classtype:web-application-attack; 12059 WEB-MISC Oracle iSQL Plus cross site scripting attempt 9484 web-application-attack 2004-2115 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7779 flow:to_server,established; content:"/isqlplus"; nocase; http_uri; content:"action="; nocase; http_uri; pcre:"/action(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui"; metadata:service http; classtype:web-application-attack; 12060 WEB-MISC Oracle iSQL Plus cross site scripting attempt 27914 attempted-admin 2008-0912 tcp $EXTERNAL_NET any -> $HOME_NET 2439 flow:to_server,established; content:"|03 22 00|"; byte_test:2,>,128,0,relative,little; classtype:attempted-admin; 13553 EXPLOIT Sybase SQL Anywhere Mobilink username string buffer overflow aluigi.altervista.org/adv/mobilinkhof-adv.txt 27914 attempted-admin 2008-0912 tcp $EXTERNAL_NET any -> $HOME_NET 2439 flow:to_server,established; content:"|03|"; content:"|03 22 00|"; distance:0; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; classtype:attempted-admin; 13554 EXPLOIT Sybase SQL Anywhere Mobilink version string buffer overflow aluigi.altervista.org/adv/mobilinkhof-adv.txt 27914 attempted-admin 2008-0912 tcp $EXTERNAL_NET any -> $HOME_NET 2439 flow:to_server,established; content:"|03 22 00|"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; classtype:attempted-admin; 13555 EXPLOIT Sybase SQL Anywhere Mobilink remoteID string buffer overflow aluigi.altervista.org/adv/mobilinkhof-adv.txt 3727 web-application-activity 2001-1217 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_/"; http_uri; metadata:service http; classtype:web-application-activity; 1385 WEB-MISC mod-plsql administration access 10849 3733 attempted-user 2001-0542 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; classtype:attempted-user; 1386 SQL raiserror possible buffer overflow www.microsoft.com/technet/security/bulletin/MS01-060.mspx 3733 attempted-user 2001-0542 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; classtype:attempted-user; 1387 SQL raiserror possible buffer overflow 11217 attempted-admin 2008-0106 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13891; 13891 SQL Memory page overwrite attempt www.microsoft.com/technet/security/bulletin/MS08-040.mspx attempted-admin 2008-0086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13892; 13892 SQL Convert function style overwrite www.microsoft.com/technet/security/bulletin/MS08-040.mspx web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_regaddmultistring"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13991 SQL xp_regaddmultistring attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_regdeletevalue"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13992 SQL xp_regdeletevalue attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_regenumkeys"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13993 SQL xp_regenumkeys attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_regenumvalues"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13994 SQL xp_regenumvalues attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_regremovemultistring"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13995 SQL xp_regremovemultistring attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_servicecontrol"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13996 SQL xp_servicecontrol attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_loginconfig"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13997 SQL xp_loginconfig attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"xp_terminate_process"; fast_pattern:only; metadata:service http; classtype:web-application-activity; 13998 SQL xp_terminate_process attempt 37973 attempted-admin 2010-0442 tcp $EXTERNAL_NET any -> $HOME_NET 5432 flow:established,to_server; content:"substring|28|B'"; pcre:"/substring\x28B'[^\x27\x29]+\x27\s*,\s*\d+\s*,\s*-([2-9][\s\x29]|\d{2})/smi"; classtype:attempted-admin; 16393 EXPLOIT Postgresql bit substring buffer overflow web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/(update|exec|insert|union)[^\/\\]*\/\*.*\*\//Uis"; metadata:service http; classtype:web-application-attack; 16431 SQL generic sql with comments injection attempt - GET parameter www.securiteam.com/securityreviews/5DP0N1P76E.html 5309 attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; classtype:attempted-user; 1759 SQL xp_cmdshell program execution 445 4290 web-application-activity 2002-0568 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/XSQLConfig.xml"; http_uri; metadata:service http; classtype:web-application-activity; 1871 WEB-MISC Oracle XSQLConfig.xml access 10855 misc-activity udp $EXTERNAL_NET any -> $HOME_NET 1434 flow:to_server; content:"|02|"; depth:1; classtype:misc-activity; 2049 SQL ping attempt 10674 4520 web-application-activity 2002-0539 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/dm/demarc"; http_uri; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; metadata:service http; classtype:web-application-activity; 2063 WEB-MISC Demarc SQL injection attempt 10871 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/isqlplus"; nocase; http_uri; pcre:"/sid=[^&\x3b\r\n]{255}/si"; metadata:service http; classtype:web-application-attack; 2701 WEB-MISC Oracle iSQLPlus sid overflow attempt www.nextgenss.com/advisories/ora-isqlplus.txt 10871 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/isqlplus"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{255}/si"; metadata:service http; classtype:web-application-attack; 2702 WEB-MISC Oracle iSQLPlus username overflow attempt www.nextgenss.com/advisories/ora-isqlplus.txt 10871 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/login.uix"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{250}/smi"; metadata:service http; classtype:web-application-attack; 2703 WEB-MISC Oracle iSQLPlus login.uix username overflow attempt www.nextgenss.com/advisories/ora-isqlplus.txt 10871 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/login.uix"; nocase; http_uri; content:"connectID="; nocase; isdataat:255,relative; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; metadata:service http; classtype:web-application-attack; 2704 WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt www.nextgenss.com/advisories/ora-isqlplus.txt 4797 unsuccessful-user 2000-1209 tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any flow:from_server,established; content:"Login failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 2; classtype:unsuccessful-user; 3152 SQL sa brute force failed login attempt 10673 4797 unsuccessful-user 2000-1209 tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; classtype:unsuccessful-user; 3273 SQL sa brute force failed login unicode attempt 10673 4797 suspicious-login 2000-1209 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"|02|"; depth:1; content:"sa"; depth:2; offset:39; nocase; detection_filter:track by_src, count 5, seconds 2; classtype:suspicious-login; 3542 SQL SA brute force login attempt 10673 4797 unsuccessful-user 2000-1209 tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; classtype:unsuccessful-user; 4984 SQL sa brute force failed login unicode attempt 10673 5310 attempted-admin 2002-0649 udp $EXTERNAL_NET any -> $HOME_NET 1434 flow:to_server; content:"|08|"; depth:1; isdataat:50; content:"|3A|"; pcre:"/[0-9]+/R"; classtype:attempted-admin; 4989 SQL heap-based overflow attempt 11214 www.microsoft.com/technet/security/bulletin/MS02-039.mspx attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; fast_pattern:only; classtype:attempted-user; 673 SQL sp_start_job - program execution attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; 676 SQL sp_start_job - program execution attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; classtype:attempted-user; 677 SQL sp_password password change attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; fast_pattern:only; classtype:attempted-user; 678 SQL sp_delete_alert log file deletion attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; 679 SQL sp_adduser database user creation 5309 attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; 681 SQL xp_cmdshell program execution attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; classtype:attempted-user; 683 SQL sp_password - password change attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; fast_pattern:only; classtype:attempted-user; 684 SQL sp_delete_alert log file deletion attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; classtype:attempted-user; 685 SQL sp_adduser - database user creation 5205 attempted-user 2002-0642 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; fast_pattern:only; classtype:attempted-user; 686 SQL xp_reg* - registry access 10642 www.microsoft.com/technet/security/bulletin/MS02-034.mspx 5309 attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; classtype:attempted-user; 687 SQL xp_cmdshell - program execution 5205 attempted-user 2002-0642 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; classtype:attempted-user; 689 SQL xp_reg* registry access 10642 www.microsoft.com/technet/security/bulletin/MS02-034 shellcode-detect tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; 691 SQL shellcode attempt shellcode-detect tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; 692 SQL shellcode attempt shellcode-detect tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; 693 SQL shellcode attempt attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; 694 SQL shellcode attempt 1204 attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; classtype:attempted-user; 695 SQL xp_sprintf possible buffer overflow www.microsoft.com/technet/security/bulletin/MS01-060.mspx 3733 attempted-user 2001-0542 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; fast_pattern:only; classtype:attempted-user; 704 SQL xp_sprintf possible buffer overflow www.microsoft.com/technet/security/bulletin/MS01-060.mspx 19054 attempted-user 2006-3702 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"dbms_export_extension"; nocase; content:"ODCIIndexGetMetadata"; nocase; classtype:attempted-user; 7207 ORACLE DBMS_EXPORT_EXTENSION SQL injection attempt 19054 attempted-admin 2006-3698 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"SYS.KUPW|24|WORKER.MAIN"; content:"|7C 7C|'''"; distance:0; classtype:attempted-admin; 8059 ORACLE SYS.KUPW-WORKER sql injection attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html 3733 attempted-admin 2001-0542 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"f|00|o|00|r|00|m|00|a|00|t|00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; classtype:attempted-admin; 8494 SQL formatmessage possible buffer overflow 3733 attempted-admin 2001-0542 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"f|00|o|00|r|00|m|00|a|00|t|00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; classtype:attempted-admin; 8495 SQL formatmessage possible buffer overflow attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"s|00|p|00|_|00|o|00|a|00|c|00|r|00|e|00|a|00|t|00|e|00|"; fast_pattern:only; classtype:attempted-admin; 8496 SQL sp_oacreate unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"sp_oacreate"; fast_pattern:only; classtype:attempted-admin; 8497 SQL sp_oacreate vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"s|00|p|00|_|00|o|00|a|00|c|00|r|00|e|00|a|00|t|00|e|00|"; fast_pattern:only; classtype:attempted-admin; 8498 SQL sp_oacreate unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2030 attempted-admin 2000-1081 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; fast_pattern:only; classtype:attempted-admin; 8499 SQL xp_displayparamstmt unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2030 attempted-admin 2000-1081 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; fast_pattern:only; classtype:attempted-admin; 8500 SQL xp_displayparamstmt unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2030 attempted-admin 2000-1081 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_displayparamstmt"; fast_pattern:only; classtype:attempted-admin; 8501 SQL xp_displayparamstmt vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2031 attempted-admin 2000-1082 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; fast_pattern:only; classtype:attempted-admin; 8502 SQL xp_enumresultset unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2031 attempted-admin 2000-1082 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; fast_pattern:only; classtype:attempted-admin; 8503 SQL xp_enumresultset unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2031 attempted-admin 2000-1082 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_enumresultset"; fast_pattern:only; classtype:attempted-admin; 8504 SQL xp_enumresultset vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|d|00|e|00|s|00|t|00|r|00|o|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8505 SQL xp_oadestroy unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|d|00|e|00|s|00|t|00|r|00|o|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8506 SQL xp_oadestroy unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_oadestroy"; fast_pattern:only; classtype:attempted-admin; 8507 SQL xp_oadestroy vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|g|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8508 SQL xp_oagetproperty unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|g|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8509 SQL xp_oagetproperty unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_oagetproperty"; fast_pattern:only; classtype:attempted-admin; 8510 SQL xp_oagetproperty vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|m|00|e|00|t|00|h|00|o|00|d|00|"; fast_pattern:only; classtype:attempted-admin; 8511 SQL xp_oamethod unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_oamethod"; fast_pattern:only; classtype:attempted-admin; 8512 SQL xp_oamethod vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|m|00|e|00|t|00|h|00|o|00|d|00|"; fast_pattern:only; classtype:attempted-admin; 8513 SQL xp_oamethod unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|s|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8514 SQL xp_oasetproperty unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|s|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8515 SQL xp_oasetproperty unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_oasetproperty"; fast_pattern:only; classtype:attempted-admin; 8516 SQL xp_oasetproperty vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2041 attempted-admin 2000-1085 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; classtype:attempted-admin; 8517 SQL xp_peekqueue unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2041 attempted-admin 2000-1085 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; classtype:attempted-admin; 8518 SQL xp_peekqueue unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2041 attempted-admin 2000-1085 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_peekqueue"; fast_pattern:only; classtype:attempted-admin; 8519 SQL xp_peekqueue vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2041 attempted-admin 2000-1086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; fast_pattern:only; classtype:attempted-admin; 8520 SQL xp_printstatements unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2041 attempted-admin 2000-1086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; fast_pattern:only; classtype:attempted-admin; 8521 SQL xp_printstatements unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2041 attempted-admin 2000-1086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_printstatements"; fast_pattern:only; classtype:attempted-admin; 8522 SQL xp_printstatements vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2024 attempted-admin 2000-1087 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; fast_pattern:only; classtype:attempted-admin; 8523 SQL xp_proxiedmetadata unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2024 attempted-admin 2000-1087 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; fast_pattern:only; classtype:attempted-admin; 8524 SQL xp_proxiedmetadata unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2024 attempted-admin 2000-1087 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_proxiedmetadata"; fast_pattern:only; classtype:attempted-admin; 8525 SQL xp_proxiedmetadata vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2043 attempted-admin 2000-1086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|S|00|e|00|t|00|S|00|Q|00|L|00|S|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8526 SQL xp_SetSQLSecurity unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2043 attempted-admin 2000-1086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|S|00|e|00|t|00|S|00|Q|00|L|00|S|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8527 SQL xp_SetSQLSecurity unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2043 attempted-admin 2000-1086 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_SetSQLSecurity"; fast_pattern:only; classtype:attempted-admin; 8528 SQL xp_SetSQLSecurity vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2038 attempted-admin 2000-1083 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; fast_pattern:only; classtype:attempted-admin; 8529 SQL xp_showcolv unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2038 attempted-admin 2000-1083 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; fast_pattern:only; classtype:attempted-admin; 8530 SQL xp_showcolv unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2038 attempted-admin 2000-1083 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_showcolv"; fast_pattern:only; classtype:attempted-admin; 8531 SQL xp_showcolv vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|a|00|g|00|e|00|n|00|t|00|_|00|m|00|o|00|n|00|i|00|t|00|o|00|r|00|"; fast_pattern:only; classtype:attempted-admin; 8532 SQL xp_sqlagent_monitor unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_sqlagent_monitor"; fast_pattern:only; classtype:attempted-admin; 8533 SQL xp_sqlagent_monitor vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|a|00|g|00|e|00|n|00|t|00|_|00|m|00|o|00|n|00|i|00|t|00|o|00|r|00|"; fast_pattern:only; classtype:attempted-admin; 8534 SQL xp_sqlagent_monitor unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|i|00|n|00|v|00|e|00|n|00|t|00|o|00|r|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8535 SQL xp_sqlinventory unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_sqlinventory"; fast_pattern:only; classtype:attempted-admin; 8536 SQL xp_sqlinventory vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx attempted-admin tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|i|00|n|00|v|00|e|00|n|00|t|00|o|00|r|00|y|00|"; fast_pattern:only; classtype:attempted-admin; 8537 SQL xp_sqlinventory unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2039 attempted-admin 2000-1084 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; fast_pattern:only; classtype:attempted-admin; 8538 SQL xp_updatecolvbm unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2039 attempted-admin 2000-1084 tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 flow:established,to_server; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; fast_pattern:only; classtype:attempted-admin; 8539 SQL xp_updatecolvbm unicode vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 2039 attempted-admin 2000-1084 tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 flow:established,to_server; content:"xp_updatecolvbm"; fast_pattern:only; classtype:attempted-admin; 8540 SQL xp_updatecolvbm vulnerable function attempt www.microsoft.com/technet/security/bulletin/ms00-092.mspx 235 Server / Database / Common SQL 240 Server / Misc 31881 attempted-user 2008-2469 udp $EXTERNAL_NET 53 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15327, service dns, policy balanced-ips drop, policy security-ips drop; 15327 BAD-TRAFFIC libspf2 DNS TXT record parsing buffer overflow attempt 13729 attempted-dos 2005-0036 udp $EXTERNAL_NET any -> $HOME_NET 53 content:"|C0 0C|"; depth:2; offset:12; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:attempted-dos; 15991 DOS Multiple vendor DNS message decompression denial of service attempt 19404 attempted-admin 2006-3441 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client; content:"|C0 0C 00 22 00 01 00 00 00|<|00 00 01|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; 16029 SPECIFIC-THREATS Microsoft Windows DNS client ATMA buffer overrun attempt 19404 attempted-admin 2006-3441 tcp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client,established; content:"|C0 0C 00 10 00 01 00 00 00|<*|AA 00 00 00 00|"; metadata:policy security-ips drop, service dns; classtype:attempted-admin; 16030 SPECIFIC-THREATS Microsoft Windows DNS client TXT buffer overrun attempt 25919 misc-attack 2007-3898 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client; content:"|03|www|07|example|03|com|00 00 01 00 01 C0 0C 00 01 00 01 00 00 0E 10 00 04|****"; metadata:policy security-ips drop, service dns; classtype:misc-attack; 16206 SPECIFIC-THREATS Microsoft Windows DNS server spoofing attempt www.microsoft.com/technet/security/bulletin/ms07-062.mspx trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"butterfly|05|sinip|02|es"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; 16297 BOTNET-CNC Palevo bot DNS request for C&C attempt www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492 misc-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"qwertasdfg|05|sinip|02|es"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:misc-activity; 16298 BOTNET-CNC Palevo bot DNS request attempt www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492 misc-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"bfisback|05|no-ip|03|org"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:misc-activity; 16299 BOTNET-CNC Palevo bot DNS request attempt www.virustotal.com/analisis/c790a26f38070632759f481a87ed60c1628dea723ad63577cfe373de6b81e0a7-1249566492 trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"irc|04|zief|02|pl"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; 16302 BOTNET-CNC Virut DNS request for C&C attempt threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"put|05|ghura|02|pl"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; 16303 BOTNET-CNC Virut DNS request attempt threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"proxim|09|ircgalaxy|02|pl"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; 16304 BOTNET-CNC Virut DNS request attempt threatexpert.com/report.aspx?md5=9ddbec6a5eda7af31e2f5461df8fe4df trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 53 flow:to_server; content:"torpig-sinkhole|03|org"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; 16693 SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt www.virustotal.com/analisis/598c0628fb40a17405ee0a3146621460daeee46ac863810af822695153416a3f-1270655846 20804 attempted-dos 2006-5614 udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00|"; depth:2; offset:4; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:attempted-dos; 17294 DOS Microsoft Windows NAT Helper DNS query denial of service attempt 12551 attempted-dos 2005-0446 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client,established; content:"|00 01 00 01|"; content:"|00 01 00 01|"; within:4; distance:2; isdataat:6,relative; content:!"|00 04|"; within:2; distance:4; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:attempted-dos; 17483 DNS squid proxy dns A record response denial of service attempt 12551 attempted-dos 2005-0446 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client,established; content:"|00 0C 00 01|"; content:"|00 0C 00 01|"; within:4; distance:2; content:"|00 01 00|"; within:3; distance:4; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:attempted-dos; 17484 DNS squid proxy dns PTR record response denial of service attempt misc-attack 2005-0817 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client,established; content:"|C8 C8 C8 C8|"; fast_pattern; content:"|00 02 00 01|"; within:10; distance:2; content:"fake"; within:20; distance:7; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:misc-attack; 17485 DNS Symantec Gateway products DNS cache poisoning attempt 13592 attempted-dos 2005-1519 udp $EXTERNAL_NET 53 -> $HOME_NET any content:"|C0 10 00 02 00 01 00 01 51 80 00 05 02 6E 73 C0 10|"; detection_filter:track by_src, count 1000, seconds 1; metadata:policy security-ips drop; classtype:attempted-dos; 17495 SPECIFIC-THREATS Squid proxy DNS response spoofing attempt 22231 attempted-dos 2007-0494 udp $EXTERNAL_NET any -> $DNS_SERVERS 53 flow:to_server; content:"|01 10|"; depth:2; offset:2; content:"|00 80 01 00 01 00 00 29|"; isdataat:!9,relative; content:"|03|com"; content:"|03|com"; within:4; distance:4; metadata:policy security-ips drop; classtype:attempted-dos; 17680 SPECIFIC-THREATS ISC BIND DNSSEC Validation Multiple RRsets DoS misc-activity 2009-0234 udp $DNS_SERVERS 53 -> $EXTERNAL_NET any gid:3; classtype:misc-activity; detection_filter:track by_src, count 20, seconds 20; metadata: engine shared, soid 3|17696, service dns, policy balanced-ips drop, policy security-ips drop; 17696 EXPLOIT Microsoft DNS Server ANY query cache weakness www.microsoft.com/technet/security/bulletin/ms09-008.mspx attempted-recon 1999-0532 udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; content:"|00 00 FC|"; offset:14; metadata:policy security-ips drop, service dns; classtype:attempted-recon; 1948 DNS zone transfer UDP 10595 bad-unknown udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:policy security-ips drop, service dns; classtype:bad-unknown; 253 DNS SPOOF query response PTR with TTL of 1 min. and no authority 2302 attempted-recon 2001-0010 udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy security-ips drop, service dns; classtype:attempted-recon; 2921 DNS UDP inverse query 10605 misc-attack 2006-5614 tcp any any -> any 53 flow:established,to_server; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:policy security-ips drop, service dns; classtype:misc-attack; 8709 DNS Windows NAT helper components tcp denial of service attempt misc-attack 2006-5614 udp any any -> any 53 flow:to_server; byte_test:2,&,256,2; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:4; metadata:policy security-ips drop, service dns; classtype:misc-attack; 8710 DNS Windows NAT helper components udp denial of service attempt 241 Server / Misc / DNS 23470 attempted-admin 2007-1748 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:7; dce_stub_data; content:!"|00 00 00 00|"; depth:4; offset:8; pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; fast_pattern; metadata:service netbios-ssn; classtype:attempted-admin; 10603 NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-029.mspx 23470 attempted-admin 2007-1748 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:1,3; dce_stub_data; content:!"|00 00 00 00|"; depth:4; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; fast_pattern; metadata:service netbios-ssn; classtype:attempted-admin; 10900 NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-029.mspx 25159 attempted-admin 2007-3744 udp $EXTERNAL_NET any -> $HOME_NET 49152:65535 flow:to_client; content:"HTTP"; depth:16; pcre:"/^.*HTTP.*\r\n(.+\x3a\s+.+\r\n){31,}/"; classtype:attempted-admin; 12357 EXPLOIT Apple mDNSresponder excessive HTTP headers 590 attempted-user 1999-0745 tcp $EXTERNAL_NET any -> $HOME_NET 4242 flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; classtype:attempted-user; 1261 EXPLOIT AIX pdnsd overflow attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:service dns; classtype:attempted-recon; 1435 DNS named authors attempt 10728 6186 attempted-admin 2002-0029 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client; content:"|D3 A9 85 80 00 01 00|2"; metadata:service dns; classtype:attempted-admin; 15963 SPECIFIC-THREATS Red Hat Enterprise Linux DNS resolver buffer overflow attempt 11605 misc-attack 2004-0892 udp $EXTERNAL_NET 53 -> $HOME_NET any flow:to_client; content:"|C0 0C 00 0C 00 01 00 01|Q|80 00 0F 03|www|05|yahoo|03|com|00|"; metadata:service dns; classtype:misc-attack; 15988 SPECIFIC-THREATS Microsoft ISA Server DNS spoofing attempt attempted-recon udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:service dns; classtype:attempted-recon; 1616 DNS named version attempt 10028 23470 attempted-admin 2007-1748 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:7; dce_stub_data; content:"|00 00 00 00|"; depth:4; offset:8; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; fast_pattern; metadata:service netbios-ssn; classtype:attempted-admin; 16499 NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-029.mspx 23470 attempted-admin 2007-1748 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:1,3; dce_stub_data; content:"|00 00 00 00|"; depth:4; content:!"|00 00 00 00|"; within:4; byte_test:4,>,256,8,relative,dce; content:"|05 00 00|"; fast_pattern; metadata:service netbios-ssn; classtype:attempted-admin; 16500 NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-029.mspx 35925 attempted-user 2009-2470 tcp $EXTERNAL_NET 1080 -> $HOME_NET any flow:established,to_client; content:"|05 00 00 03|"; depth:4; isdataat:16,relative; classtype:attempted-user; 16612 WEB-CLIENT Firefox oversized SOCKS5 DNS reply memory corruption attempt trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|qd|07|netkill|03|com|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16834 BLACKLIST DNS request for known malware domain qd.netkill.com.cn - Trojan-Downloader.Win32.Adload.rzx labs.snort.org/docs/16834.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|exe|06|146843|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16835 BLACKLIST DNS request for known malware domain exe.146843.com - Trojan.Win32.Opeg.a labs.snort.org/docs/16835.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|ra03|05|e5732|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16836 BLACKLIST DNS request for known malware domain ra03.e5732.com - Trojan-Clicker.Win32.Small.afg labs.snort.org/docs/16836.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0C|dangercheats|03|com|02|br"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16837 BLACKLIST DNS request for known malware domain dangercheats.com.br - Trojan.Win32.Refroso.arnq labs.snort.org/docs/16837.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|xlm|05|ppvsr|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16838 BLACKLIST DNS request for known malware domain xlm.ppvsr.com - Trojan-GameThief.Win32.OnLineGames.wwcf labs.snort.org/docs/16838.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|sh16|05|e8753|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16839 BLACKLIST DNS request for known malware domain sh16.e8753.com - Trojan.Win32.Scar.ccqb labs.snort.org/docs/16839.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|rx11|05|e6532|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16840 BLACKLIST DNS request for known malware domain rx11.e6532.com - Trojan.Win32.Opeg.a labs.snort.org/docs/16840.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|podgorz|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16841 BLACKLIST DNS request for known malware domain podgorz.org - Trojan-Spy.Win32.Zbot.gen labs.snort.org/docs/16841.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|sp19|05|e4578|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16842 BLACKLIST DNS request for known malware domain sp19.e4578.com - Trojan-Downloader.Win32.Genome.njz labs.snort.org/docs/16842.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|1|04|7zsm|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16843 BLACKLIST DNS request for known malware domain 1.7zsm.com - Trojan-Downloader.Win32.Agent.dtuo labs.snort.org/docs/16843.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|rm08|05|e4562|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16844 BLACKLIST DNS request for known malware domain rm08.e4562.com - Trojan-Downloader.Win32.Agent.dngx labs.snort.org/docs/16844.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|rc04|05|e6532|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16845 BLACKLIST DNS request for known malware domain rc04.e6532.com - Trojan-Downloader.Win32.Genome.awld labs.snort.org/docs/16845.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|bedayton|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16846 BLACKLIST DNS request for known malware domain bedayton.com - Trojan-Downloader.Win32.Agent.dlhe labs.snort.org/docs/16846.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|rz12|05|e6805|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16847 BLACKLIST DNS request for known malware domain rz12.e6805.com - Trojan-Downloader.Win32.Genome.awld labs.snort.org/docs/16847.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|in|09|chinaitlm|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16848 BLACKLIST DNS request for known malware domain in.chinaitlm.cn - Trojan.VBS.HideIcon.d labs.snort.org/docs/16848.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|re05|05|e6532|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16849 BLACKLIST DNS request for known malware domain re05.e6532.com - Trojan-Downloader.Win32.Genome.awld labs.snort.org/docs/16849.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|kldmten|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16850 BLACKLIST DNS request for known malware domain kldmten.net - Trojan-Spy.Win32.Zbot.akra labs.snort.org/docs/16850.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|forelc|02|cc"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16851 BLACKLIST DNS request for known malware domain forelc.cc - Trojan-Ransom.Win32.XBlocker.ahe labs.snort.org/docs/16851.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|v|05|yao63|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16852 BLACKLIST DNS request for known malware domain v.yao63.com - Trojan-Downloader.Win32.Agent.dqns labs.snort.org/docs/16852.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|vh26|05|e4578|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16853 BLACKLIST DNS request for known malware domain vh26.e4578.com - Trojan.Win32.Opeg.a labs.snort.org/docs/16853.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|up1|08|give2sms|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16854 BLACKLIST DNS request for known malware domain up1.give2sms.com - Trojan-Downloader.Win32.Genome.est labs.snort.org/docs/16854.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|d|0A|123kuaihuo|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16855 BLACKLIST DNS request for known malware domain d.123kuaihuo.com - Trojan.Win32.Scar.clbx labs.snort.org/docs/16855.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|andy|02|cd"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16856 BLACKLIST DNS request for known malware domain andy.cd - Backdoor.Win32.Agent.auto labs.snort.org/docs/16856.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|site|05|mynet|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16857 BLACKLIST DNS request for known malware domain site.mynet.com - Trojan.Win32.Buzus.dxsr labs.snort.org/docs/16857.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|charter-x|03|biz"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16858 BLACKLIST DNS request for known malware domain charter-x.biz - Packed.Win32.Krap.ae labs.snort.org/docs/16858.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|gerherber|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16859 BLACKLIST DNS request for known malware domain gerherber.com - Trojan-Spy.Win32.Zbot.akdw labs.snort.org/docs/16859.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|urodinam|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16860 BLACKLIST DNS request for known malware domain urodinam.net - Trojan.Win32.TDSS.azsj labs.snort.org/docs/16860.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0E|gite-eguisheim|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16861 BLACKLIST DNS request for known malware domain gite-eguisheim.com - Trojan-Downloader.Win32.Piker.clp labs.snort.org/docs/16861.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|phaizeipeu|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16862 BLACKLIST DNS request for known malware domain phaizeipeu.ru - Packed.Win32.Krap.gx labs.snort.org/docs/16862.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|teendx|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16863 BLACKLIST DNS request for known malware domain teendx.com - Trojan-Spy.Win32.Zbot.gen labs.snort.org/docs/16863.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|taiping2033|04|2288|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16864 BLACKLIST DNS request for known malware domain taiping2033.2288.org - Trojan-Downloader.Win32.Selvice.afy labs.snort.org/docs/16864.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|cnfg|10|maxsitesrevenues|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16865 BLACKLIST DNS request for known malware domain cnfg.maxsitesrevenues.net - Trojan.Win32.BHO.afke labs.snort.org/docs/16865.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|members|0A|multimania|02|co|02|uk"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16866 BLACKLIST DNS request for known malware domain members.multimania.co.uk - Trojan.Win32.Inject.ahqv labs.snort.org/docs/16866.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|down|05|toopc|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16867 BLACKLIST DNS request for known malware domain down.toopc.com - Trojan-Dropper.Win32.Clons.hai labs.snort.org/docs/16867.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|hostshack|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16868 BLACKLIST DNS request for known malware domain hostshack.net - Trojan.Win32.Buzus.empl labs.snort.org/docs/16868.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|tt|04|vv49|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16869 BLACKLIST DNS request for known malware domain tt.vv49.com - Trojan-GameThief.Win32.OnLineGames.bnkb labs.snort.org/docs/16869.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|search|09|sidegreen|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16870 BLACKLIST DNS request for known malware domain search.sidegreen.com - Backdoor.Win32.Agent.arqi labs.snort.org/docs/16870.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0F|parfaitpournous|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16871 BLACKLIST DNS request for known malware domain parfaitpournous.com - Trojan-Spy.Win32.Zbot.gen labs.snort.org/docs/16871.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|postmetoday|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16872 BLACKLIST DNS request for known malware domain postmetoday.ru - Packed.Win32.Katusha.j labs.snort.org/docs/16872.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|youword|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16873 BLACKLIST DNS request for known malware domain youword.cn - Trojan.Win32.Scar.bvgu labs.snort.org/docs/16873.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|ophaeghaev|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16874 BLACKLIST DNS request for known malware domain ophaeghaev.ru - Trojan-Spy.Win32.Zbot.akmi labs.snort.org/docs/16874.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|up1|08|free-sms|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16875 BLACKLIST DNS request for known malware domain up1.free-sms.co.kr - Trojan.Win32.Vilsel.akp labs.snort.org/docs/16875.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|c|09|softdowns|04|info"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16876 BLACKLIST DNS request for known malware domain c.softdowns.info - Trojan.BAT.Agent.yn labs.snort.org/docs/16876.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|ddkom|03|biz"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16877 BLACKLIST DNS request for known malware domain ddkom.biz - Trojan.Win32.Scar.ckhr labs.snort.org/docs/16877.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|vopret|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16878 BLACKLIST DNS request for known malware domain vopret.ru - Trojan.Win32.FraudPack.axwn labs.snort.org/docs/16878.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|dnfpomo|09|dnfranran|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16879 BLACKLIST DNS request for known malware domain dnfpomo.dnfranran.com - Trojan-GameThief.Win32.OnLineGames.bnkx labs.snort.org/docs/16879.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|dnfuu|04|3322|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16880 BLACKLIST DNS request for known malware domain dnfuu.3322.org - Trojan-Downloader.Win32.Genome.asrx labs.snort.org/docs/16880.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|sex-gifts|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16881 BLACKLIST DNS request for known malware domain sex-gifts.ru - Trojan-Spy.Win32.Zbot.gen labs.snort.org/docs/16881.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|111|07|168lala|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16882 BLACKLIST DNS request for known malware domain 111.168lala.com - Backdoor.Win32.Popwin.cyn labs.snort.org/docs/16882.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0F|mcafee-registry|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16883 BLACKLIST DNS request for known malware domain mcafee-registry.ru - Trojan-Spy.Win32.Zbot.akgb labs.snort.org/docs/16883.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|bits4ever|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16884 BLACKLIST DNS request for known malware domain bits4ever.ru - Trojan-Spy.Win32.Zbot.aknt labs.snort.org/docs/16884.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|monicaecarlos|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16885 BLACKLIST DNS request for known malware domain monicaecarlos.com - Trojan-Downloader.Win32.Genome.awxv labs.snort.org/docs/16885.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|d|08|trymedia|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16886 BLACKLIST DNS request for known malware domain d.trymedia.com - Trojan-Dropper.Win32.Delf.fkk labs.snort.org/docs/16886.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|dbtte|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16888 BLACKLIST DNS request for known malware domain dbtte.com - Trojan-Banker.Win32.Banz.crk labs.snort.org/docs/16888.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|h1|06|ripway|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16889 BLACKLIST DNS request for known malware domain h1.ripway.com - Trojan.Win32.Refroso.bcdq labs.snort.org/docs/16889.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|in6cs|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16890 BLACKLIST DNS request for known malware domain in6cs.com - Trojan.Win32.Tdss.beea labs.snort.org/docs/16890.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|solo1928|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16891 BLACKLIST DNS request for known malware domain solo1928.ru - Trojan-Spy.Win32.Zbot.gen labs.snort.org/docs/16891.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|fg545633|04|host|06|zgridc|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16892 BLACKLIST DNS request for known malware domain fg545633.host.zgridc.com - Trojan.Win32.Pincav.abub labs.snort.org/docs/16892.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|primusdns|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16893 BLACKLIST DNS request for known malware domain primusdns.ru - Backdoor.Win32.Havar.eh labs.snort.org/docs/16893.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|eq|06|pccppc|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16894 BLACKLIST DNS request for known malware domain eq.pccppc.com - Trojan-Downloader.Win32.Pher.fkl labs.snort.org/docs/16894.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|alodh|02|in"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16895 BLACKLIST DNS request for known malware domain alodh.in - Backdoor.Win32.Delf.vde labs.snort.org/docs/16895.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|reward|06|pnshop|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16896 BLACKLIST DNS request for known malware domain reward.pnshop.co.kr - Backdoor.Win32.Agent.ahra labs.snort.org/docs/16896.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|sympathy|06|hdnews|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16897 BLACKLIST DNS request for known malware domain sympathy.hdnews.net - Trojan-Spy.Win32.Zbot.gen labs.snort.org/docs/16897.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|sx21|05|e4578|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16898 BLACKLIST DNS request for known malware domain sx21.e4578.com - Trojan.Win32.Scar.ccqb labs.snort.org/docs/16898.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|downloadering|04|9966|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16899 BLACKLIST DNS request for known malware domain downloadering.9966.org - Trojan.Win32.Vilsel.adxv labs.snort.org/docs/16899.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|reportes201|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16900 BLACKLIST DNS request for known malware domain reportes201.com - Trojan-Downloader.Win32.Genome.ashe labs.snort.org/docs/16900.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|local|04|1140|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16901 BLACKLIST DNS request for known malware domain local.1140.co.kr - Trojan-Downloader.Win32.Genome.aobm labs.snort.org/docs/16901.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|promojoy|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16902 BLACKLIST DNS request for known malware domain promojoy.net - Packed.Win32.Krap.gx labs.snort.org/docs/16902.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|gpwg|02|ws"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16903 BLACKLIST DNS request for known malware domain gpwg.ws - Worm.Win32.AutoRun.bjca labs.snort.org/docs/16903.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|xoomer|05|alice|02|it"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16904 BLACKLIST DNS request for known malware domain xoomer.alice.it - Trojan-Downloader.Win32.Banload.kdu labs.snort.org/docs/16904.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|xoomer|08|virgilio|02|it"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16905 BLACKLIST DNS request for known malware domain xoomer.virgilio.it - Backdoor.Win32.Clar.d labs.snort.org/docs/16905.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|down|07|p2pplay|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16906 BLACKLIST DNS request for known malware domain down.p2pplay.com - Trojan-GameThief.Win32.OnLineGames.wgkv labs.snort.org/docs/16906.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|livetrust|04|info"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16907 BLACKLIST DNS request for known malware domain livetrust.info - Trojan-Spy.Win32.Zbot.akku labs.snort.org/docs/16907.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|ootaivilei|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16908 BLACKLIST DNS request for known malware domain ootaivilei.ru - Trojan-Spy.Win32.Zbot.akme labs.snort.org/docs/16908.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|babah20122012|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16909 BLACKLIST DNS request for known malware domain babah20122012.com - Trojan-Spy.Win32.Zbot.akbb labs.snort.org/docs/16909.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"0-0-0-0-0-0-0|04|info"; metadata:impact_flag red, service dns; classtype:trojan-activity; 16910 BLACKLIST DNS request for known malware domain pattern - 0-0-0-0-0-0-0.info labs.snort.org/docs/16910.html 23470 attempted-admin 2007-1748 tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] flow:established,to_server; dce_iface:50ABC2A4-574D-40B3-9D66-EE4FD5FBA076; dce_opnum:1,3; dce_stub_data; pcre:"/^.*?(\x5c.){256}/sR"; metadata:service netbios-ssn; classtype:attempted-admin; 17047 NETBIOS Microsoft Windows DNS Server RPC management interface buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-029.mspx trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|ktr|04|t134|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17818 BLACKLIST DNS request for known malware domain ktr.t134.net labs.snort.org/docs/17818.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|motuh|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17819 BLACKLIST DNS request for known malware domain motuh.com labs.snort.org/docs/17819.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|myanimalclips|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17820 BLACKLIST DNS request for known malware domain myanimalclips.com labs.snort.org/docs/17820.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|ketsymbol|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17821 BLACKLIST DNS request for known malware domain ketsymbol.com labs.snort.org/docs/17821.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|ics|06|hotbar|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17822 BLACKLIST DNS request for known malware domain ics.hotbar.com labs.snort.org/docs/17822.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0D|myroitracking|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17823 BLACKLIST DNS request for known malware domain www.myroitracking.com labs.snort.org/docs/17823.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|teenxmovs|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17824 BLACKLIST DNS request for known malware domain teenxmovs.net labs.snort.org/docs/17824.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|px|08|smowtion|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17825 BLACKLIST DNS request for known malware domain px.smowtion.com labs.snort.org/docs/17825.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|cheaps1|04|info"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17826 BLACKLIST DNS request for known malware domain cheaps1.info labs.snort.org/docs/17826.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|sexmoviesland|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17827 BLACKLIST DNS request for known malware domain sexmoviesland.net labs.snort.org/docs/17827.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|67|03|201|02|36|02|16"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17828 BLACKLIST DNS request for known malware domain 67.201.36.16 labs.snort.org/docs/17828.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|c7|05|zxxds|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17829 BLACKLIST DNS request for known malware domain c7.zxxds.net labs.snort.org/docs/17829.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|dickvsclit|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17830 BLACKLIST DNS request for known malware domain dickvsclit.net labs.snort.org/docs/17830.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0E|edrichfinearts|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17831 BLACKLIST DNS request for known malware domain edrichfinearts.com labs.snort.org/docs/17831.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|img100|07|xvideos|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17832 BLACKLIST DNS request for known malware domain img100.xvideos.com labs.snort.org/docs/17832.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|09|dsnextgen|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17833 BLACKLIST DNS request for known malware domain www.dsnextgen.com labs.snort.org/docs/17833.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|343|07|boolans|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17834 BLACKLIST DNS request for known malware domain 343.boolans.com labs.snort.org/docs/17834.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|xpresdnet|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17835 BLACKLIST DNS request for known malware domain xpresdnet.com labs.snort.org/docs/17835.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|gbsup|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17836 BLACKLIST DNS request for known malware domain gbsup.com labs.snort.org/docs/17836.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|xxsmovies|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17837 BLACKLIST DNS request for known malware domain xxsmovies.com labs.snort.org/docs/17837.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|vc|09|iwriteweb|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17838 BLACKLIST DNS request for known malware domain vc.iwriteweb.com labs.snort.org/docs/17838.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|js|06|222233|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17839 BLACKLIST DNS request for known malware domain js.222233.com labs.snort.org/docs/17839.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0C|grannyplanet|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17840 BLACKLIST DNS request for known malware domain www.grannyplanet.com labs.snort.org/docs/17840.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|coop|09|crwdcntrl|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17841 BLACKLIST DNS request for known malware domain coop.crwdcntrl.net labs.snort.org/docs/17841.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|extrahotx|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17842 BLACKLIST DNS request for known malware domain extrahotx.net labs.snort.org/docs/17842.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|10|extralargevideos|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17843 BLACKLIST DNS request for known malware domain extralargevideos.com labs.snort.org/docs/17843.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|derquda|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17844 BLACKLIST DNS request for known malware domain www.derquda.com labs.snort.org/docs/17844.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|aahydrogen|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17845 BLACKLIST DNS request for known malware domain aahydrogen.com labs.snort.org/docs/17845.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|trumpetlicks|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17846 BLACKLIST DNS request for known malware domain trumpetlicks.com labs.snort.org/docs/17846.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|mskla|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17847 BLACKLIST DNS request for known malware domain mskla.com labs.snort.org/docs/17847.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|play|08|unionsky|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17848 BLACKLIST DNS request for known malware domain play.unionsky.cn labs.snort.org/docs/17848.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0C|fuckersucker|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17849 BLACKLIST DNS request for known malware domain fuckersucker.com labs.snort.org/docs/17849.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0C|pornfucklist|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17850 BLACKLIST DNS request for known malware domain pornfucklist.com labs.snort.org/docs/17850.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|game|0B|685faiudeme|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17851 BLACKLIST DNS request for known malware domain game.685faiudeme.com labs.snort.org/docs/17851.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|447|02|cc"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17852 BLACKLIST DNS request for known malware domain 447.cc labs.snort.org/docs/17852.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|dommonview|04|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17853 BLACKLIST DNS request for known malware domain dommonview.com labs.snort.org/docs/17853.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0E|lamiaexragazza|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17854 BLACKLIST DNS request for known malware domain www.lamiaexragazza.com labs.snort.org/docs/17854.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|acofinder|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17855 BLACKLIST DNS request for known malware domain acofinder.com labs.snort.org/docs/17855.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0C|fuckfuckvids|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17856 BLACKLIST DNS request for known malware domain fuckfuckvids.com labs.snort.org/docs/17856.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|cnhack|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17857 BLACKLIST DNS request for known malware domain www.cnhack.cn labs.snort.org/docs/17857.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0F|kingsizematures|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17858 BLACKLIST DNS request for known malware domain kingsizematures.com labs.snort.org/docs/17858.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|promotds|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17859 BLACKLIST DNS request for known malware domain promotds.com labs.snort.org/docs/17859.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|mejac|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17860 BLACKLIST DNS request for known malware domain mejac.com labs.snort.org/docs/17860.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|zq2|04|9wee|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17861 BLACKLIST DNS request for known malware domain zq2.9wee.com labs.snort.org/docs/17861.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|122|09|770304123|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17862 BLACKLIST DNS request for known malware domain 122.770304123.cn labs.snort.org/docs/17862.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|rpt2|05|21civ|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17863 BLACKLIST DNS request for known malware domain rpt2.21civ.com labs.snort.org/docs/17863.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0E|tubexxxmatures|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17864 BLACKLIST DNS request for known malware domain tubexxxmatures.com labs.snort.org/docs/17864.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|110|09|770304123|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17865 BLACKLIST DNS request for known malware domain 110.770304123.cn labs.snort.org/docs/17865.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0C|aebankonline|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17866 BLACKLIST DNS request for known malware domain aebankonline.com labs.snort.org/docs/17866.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|utm|03|trk|0A|myfuncards|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17867 BLACKLIST DNS request for known malware domain utm.trk.myfuncards.com labs.snort.org/docs/17867.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|a|06|qq2233|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17868 BLACKLIST DNS request for known malware domain a.qq2233.com labs.snort.org/docs/17868.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|px|0A|mgplatform|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17869 BLACKLIST DNS request for known malware domain px.mgplatform.com labs.snort.org/docs/17869.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|trojan8|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17870 BLACKLIST DNS request for known malware domain trojan8.com labs.snort.org/docs/17870.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|brutalxvideos|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17871 BLACKLIST DNS request for known malware domain brutalxvideos.com labs.snort.org/docs/17871.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|www3|06|sexown|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17872 BLACKLIST DNS request for known malware domain www3.sexown.com labs.snort.org/docs/17872.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|mummimpegs|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17873 BLACKLIST DNS request for known malware domain mummimpegs.com labs.snort.org/docs/17873.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|10|f19dd4abb8b8bdf2|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17874 BLACKLIST DNS request for known malware domain f19dd4abb8b8bdf2.cn labs.snort.org/docs/17874.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0F|very-young-boys|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17875 BLACKLIST DNS request for known malware domain www.very-young-boys.com labs.snort.org/docs/17875.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|91629|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17876 BLACKLIST DNS request for known malware domain 91629.com labs.snort.org/docs/17876.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|animal36|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17877 BLACKLIST DNS request for known malware domain animal36.com labs.snort.org/docs/17877.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|ayb|0D|host127-0-0-1|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17878 BLACKLIST DNS request for known malware domain ayb.host127-0-0-1.com labs.snort.org/docs/17878.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|cfg|09|353wanwan|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17879 BLACKLIST DNS request for known malware domain cfg.353wanwan.com labs.snort.org/docs/17879.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|027dj|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17880 BLACKLIST DNS request for known malware domain www.027dj.com labs.snort.org/docs/17880.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|fucktosky|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17881 BLACKLIST DNS request for known malware domain fucktosky.com labs.snort.org/docs/17881.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|procca|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17882 BLACKLIST DNS request for known malware domain procca.com labs.snort.org/docs/17882.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0D|autouploaders|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17883 BLACKLIST DNS request for known malware domain autouploaders.net labs.snort.org/docs/17883.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|gimmemyporn|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17884 BLACKLIST DNS request for known malware domain gimmemyporn.com labs.snort.org/docs/17884.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|waytoall|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17885 BLACKLIST DNS request for known malware domain waytoall.com labs.snort.org/docs/17885.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|09|spamature|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17886 BLACKLIST DNS request for known malware domain www.spamature.com labs.snort.org/docs/17886.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|info|15|collectionerrorreport|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17887 BLACKLIST DNS request for known malware domain info.collectionerrorreport.com labs.snort.org/docs/17887.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|bn|03|xp1|03|ru4|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17888 BLACKLIST DNS request for known malware domain bn.xp1.ru4.com labs.snort.org/docs/17888.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|ajie520|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17889 BLACKLIST DNS request for known malware domain www.ajie520.com labs.snort.org/docs/17889.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0A|114search1|06|118114|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17890 BLACKLIST DNS request for known malware domain 114search1.118114.cn labs.snort.org/docs/17890.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|08|bestkind|02|ru"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17891 BLACKLIST DNS request for known malware domain bestkind.ru labs.snort.org/docs/17891.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|clickpotato|02|tv"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17892 BLACKLIST DNS request for known malware domain clickpotato.tv labs.snort.org/docs/17892.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|zxc0001|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17893 BLACKLIST DNS request for known malware domain www.zxc0001.com labs.snort.org/docs/17893.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|streq|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17894 BLACKLIST DNS request for known malware domain streq.cn labs.snort.org/docs/17894.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|pyow|0A|prixi-soft|02|ir"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17895 BLACKLIST DNS request for known malware domain pyow.prixi-soft.ir labs.snort.org/docs/17895.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|113552url|05|cptgt|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17896 BLACKLIST DNS request for known malware domain 113552url.cptgt.com labs.snort.org/docs/17896.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|moneytw8|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 17897 BLACKLIST DNS request for known malware domain www.moneytw8.com labs.snort.org/docs/17897.html trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|jsshmz|07|gotoip4|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18079 BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|netrand|05|house|04|sina|03|com|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18080 BLACKLIST DNS request for known malware domain netrand.house.sina.com.cn trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|wenyixuan|04|3322|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18081 BLACKLIST DNS request for known malware domain wenyixuan.3322.org trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|3q|08|sbwanwan|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18082 BLACKLIST DNS request for known malware domain 3q.sbwanwan.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|863|06|dclsba|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18083 BLACKLIST DNS request for known malware domain 863.dclsba.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|drs317a|07|gotoip4|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18084 BLACKLIST DNS request for known malware domain drs317a.gotoip4.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|jsshmz|07|gotoip4|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18085 BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|02|qq|08|sbwanwan|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18086 BLACKLIST DNS request for known malware domain qq.sbwanwan.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0F|tiantianzaixian|07|gotoip1|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18087 BLACKLIST DNS request for known malware domain tiantianzaixian.gotoip1.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|wenyixuan|04|3322|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18088 BLACKLIST DNS request for known malware domain wenyixuan.3322.org trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|auto328|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18089 BLACKLIST DNS request for known malware domain www.auto328.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0B|comstelecom|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18090 BLACKLIST DNS request for known malware domain www.comstelecom.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0B|goodfriends|02|or|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18091 BLACKLIST DNS request for known malware domain www.goodfriends.or.kr trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|hao1345|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18092 BLACKLIST DNS request for known malware domain www.hao1345.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|opusgame|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18093 BLACKLIST DNS request for known malware domain www.opusgame.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0B|theoffstage|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18094 BLACKLIST DNS request for known malware domain www.theoffstage.com trojan-activity udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|wwmei|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18095 BLACKLIST DNS request for known malware domain www.wwmei.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|5yvod|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18103 BLACKLIST DNS request for known malware domain 5yvod.net trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|b|03|9s3|04|info"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18104 BLACKLIST DNS request for known malware domain b.9s3.info trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0B|baidutaobao|08|gotoip55|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18105 BLACKLIST DNS request for known malware domain baidutaobao.gotoip55.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|e|05|msssm|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18106 BLACKLIST DNS request for known malware domain e.msssm.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|06|jsshmz|07|gotoip4|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18107 BLACKLIST DNS request for known malware domain jsshmz.gotoip4.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|phoroshop|02|es"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18108 BLACKLIST DNS request for known malware domain phoroshop.es trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|04|talk|07|cetizen|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18109 BLACKLIST DNS request for known malware domain talk.cetizen.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|0F|tiantianzaixian|07|gotoip1|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18110 BLACKLIST DNS request for known malware domain tiantianzaixian.gotoip1.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|v|04|9y9c|02|co|02|cc"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18111 BLACKLIST DNS request for known malware domain v.9y9c.co.cc trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|wenyixuan|04|3322|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18112 BLACKLIST DNS request for known malware domain wenyixuan.3322.org. trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|09|wusheng03|04|3322|03|org"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18113 BLACKLIST DNS request for known malware domain wusheng03.3322.org trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|04|5fqq|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18114 BLACKLIST DNS request for known malware domain www.5fqq.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|ajs2002|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18115 BLACKLIST DNS request for known malware domain www.ajs2002.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|bnbsoft|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18116 BLACKLIST DNS request for known malware domain www.bnbsoft.co.kr trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|09|cineseoul|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18117 BLACKLIST DNS request for known malware domain www.cineseoul.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|hao1345|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18118 BLACKLIST DNS request for known malware domain www.hao1345.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0A|ilbondrama|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18119 BLACKLIST DNS request for known malware domain www.ilbondrama.net trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|iwebdy|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18120 BLACKLIST DNS request for known malware domain www.iwebdy.net trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0D|linzhiling123|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18121 BLACKLIST DNS request for known malware domain www.linzhiling123.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|opusgame|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18122 BLACKLIST DNS request for known malware domain www.opusgame.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|09|phoroshop|02|es"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18123 BLACKLIST DNS request for known malware domain www.phoroshop.es trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0A|sijianfeng|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18124 BLACKLIST DNS request for known malware domain www.sijianfeng.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|tpydb|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18125 BLACKLIST DNS request for known malware domain www.tpydb.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|tpydb|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18126 BLACKLIST DNS request for known malware domain www.tpydb.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|univus|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18127 BLACKLIST DNS request for known malware domain www.univus.co.kr trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0B|uwonderfull|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18128 BLACKLIST DNS request for known malware domain www.uwonderfull.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|w22rt|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18129 BLACKLIST DNS request for known malware domain www.w22rt.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|wwmei|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18130 BLACKLIST DNS request for known malware domain www.wwmei.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|ybtour|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18131 BLACKLIST DNS request for known malware domain www.ybtour.co.kr trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|001zs|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18133 BLACKLIST DNS request for known malware domain www.001zs.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|551sf|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18134 BLACKLIST DNS request for known malware domain www.551sf.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|555hd|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18135 BLACKLIST DNS request for known malware domain www.555hd.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|66xihu|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18136 BLACKLIST DNS request for known malware domain www.66xihu.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|9292cs|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18137 BLACKLIST DNS request for known malware domain www.9292cs.cn trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0D|chateaulegend|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18138 BLACKLIST DNS request for known malware domain www.chateaulegend.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0B|china-aoben|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18139 BLACKLIST DNS request for known malware domain www.china-aoben.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|cqtjg|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18140 BLACKLIST DNS request for known malware domain www.cqtjg.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|dspenter|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18141 BLACKLIST DNS request for known malware domain www.dspenter.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|09|eastadmin|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18142 BLACKLIST DNS request for known malware domain www.eastadmin.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|fp0755|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18143 BLACKLIST DNS request for known malware domain www.fp0755.cn trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|fp0769|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18144 BLACKLIST DNS request for known malware domain www.fp0769.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|fp360|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18145 BLACKLIST DNS request for known malware domain www.fp360.net trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|gdfp365|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18146 BLACKLIST DNS request for known malware domain www.gdfp365.cn trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|03|gev|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18147 BLACKLIST DNS request for known malware domain www.gev.cn trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|haoleyou|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18148 BLACKLIST DNS request for known malware domain www.haoleyou.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|haosf08|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18149 BLACKLIST DNS request for known malware domain www.haosf08.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|jxbaike|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18150 BLACKLIST DNS request for known malware domain www.jxbaike.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|10|kingsoftduba2009|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18151 BLACKLIST DNS request for known malware domain www.kingsoftduba2009.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|mainhu|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18152 BLACKLIST DNS request for known malware domain www.mainhu.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|maoyiren|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18153 BLACKLIST DNS request for known malware domain www.maoyiren.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|04|nc57|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18154 BLACKLIST DNS request for known malware domain www.nc57.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|pplog|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18155 BLACKLIST DNS request for known malware domain www.pplog.cn trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|pxflm|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18156 BLACKLIST DNS request for known malware domain www.pxflm.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|quyou365|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18157 BLACKLIST DNS request for known malware domain www.quyou365.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0A|shzhaotian|02|cn"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18158 BLACKLIST DNS request for known malware domain www.shzhaotian.cn trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|07|soanala|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18159 BLACKLIST DNS request for known malware domain www.soanala.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|0B|stony-skunk|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18160 BLACKLIST DNS request for known malware domain www.stony-skunk.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|08|street08|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18161 BLACKLIST DNS request for known malware domain www.street08.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|09|weilingcy|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18162 BLACKLIST DNS request for known malware domain www.weilingcy.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|yisaa|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18163 BLACKLIST DNS request for known malware domain www.yisaa.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|05|yx240|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18164 BLACKLIST DNS request for known malware domain www.yx240.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|01|e|04|mssm|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18165 BLACKLIST DNS request for known malware domain e.mssm.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|05|dfgdd|04|9y6c|02|co|02|cc"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18166 BLACKLIST DNS request for known malware domain dfgdd.9y6c.co.cc trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|07|mailzou|03|com"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18183 BLACKLIST DNS request for known malware domain mailzou.com trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|dnf|08|gametime|02|co|02|kr"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18184 BLACKLIST DNS request for known malware domain dnf.gametime.co.kr trojan-activity 2010-3962 udp $HOME_NET any -> any 53 flow:to_server; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; content:"|03|www|06|dd0415|03|net"; metadata:impact_flag red, service dns; classtype:trojan-activity; 18185 BLACKLIST DNS request for known malware domain www.dd0415.net attempted-recon udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:service dns; classtype:attempted-recon; 256 DNS named authors attempt 10728 attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:service dns; classtype:attempted-recon; 257 DNS named version attempt 10028 788 attempted-admin 1999-0833 tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"../../../"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 258 DNS EXPLOIT named 8.2->8.2.1 788 attempted-admin 1999-0833 tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 259 DNS EXPLOIT named overflow ADM 788 attempted-admin 1999-0833 tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"ADMROCKS"; metadata:service dns; classtype:attempted-admin; 260 DNS EXPLOIT named overflow ADMROCKS www.cert.org/advisories/CA-1999-14.html attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 261 DNS EXPLOIT named overflow attempt www.cert.org/advisories/CA-1998-05.html attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 262 DNS EXPLOIT x86 Linux overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:service dns; classtype:attempted-admin; 264 DNS EXPLOIT x86 Linux overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 265 DNS EXPLOIT x86 Linux overflow attempt ADMv2 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:service dns; classtype:attempted-admin; 266 DNS EXPLOIT x86 FreeBSD overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 267 DNS EXPLOIT sparc overflow attempt 2302 attempted-admin 2001-0010 tcp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:service dns; classtype:attempted-admin; 303 DNS EXPLOIT named tsig overflow attempt 10605 2302 attempted-admin 2001-0010 udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:service dns; classtype:attempted-admin; 314 DNS EXPLOIT named tsig overflow attempt 134 attempted-admin 1999-0009 udp $EXTERNAL_NET any -> $HOME_NET 53 flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:service dns; classtype:attempted-admin; 3154 DNS UDP inverse query overflow successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"Open Beyond Keylogger"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 10089 SPYWARE-PUT Keylogger beyond Keylogger runtime detection - log sent by ftp www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097340 22079 denial-of-service 2007-0247 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:established,to_server; content:"GET"; depth:3; nocase; content:"FTP|3A|//"; nocase; pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i"; metadata:policy security-ips drop; classtype:denial-of-service; 10135 DOS Squid proxy FTP denial of service attempt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 32418 flow:to_server,established; content:"FTP-ON"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10444 BACKDOOR acidbattery 1.0 runtime detection - open ftp serice www3.ca.com/securityadvisor/pest/pest.aspx?id=109 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"Theef2"; content:"FTP"; distance:0; content:"Server"; distance:0; pcre:"/Theef2\s+FTP\s+Server\x3A/"; flowbits:set,Theef210_TheefFTP; flowbits:noalert; classtype:trojan-activity; 12237 BACKDOOR theef 2.10 runtime detection - ftp attempted-admin 2008-2161 udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:"|00 05|"; depth:2; isdataat:485; metadata:policy balanced-ips drop, policy security-ips drop, service tftp; classtype:attempted-admin; 13927 TFTP Server log generation buffer overflow attempt 31814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39FDA070-61BA-11D2-AD84-00105A17B608\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(SecretKey)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*39FDA070-61BA-11D2-AD84-00105A17B608\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(SecretKey))\s*=/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14778 WEB-ACTIVEX Dart Communications PowerTCP FTP ActiveX clsid access 31814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|9|00|F|00|D|00|A|00|0|00|7|00|0|00|-|00|6|00|1|00|B|00|A|00|-|00|1|00|1|00|D|00|2|00|-|00|A|00|D|00|8|00|4|00|-|00|0|00|0|00|1|00|0|00|5|00|A|00|1|00|7|00|B|00|6|00|0|00|8|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x009\x00F\x00D\x00A\x000\x007\x000\x00-\x006\x001\x00B\x00A\x00-\x001\x001\x00D\x002\x00-\x00A\x00D\x008\x004\x00-\x000\x000\x001\x000\x005\x00A\x001\x007\x00B\x006\x000\x008\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14779 WEB-ACTIVEX Dart Communications PowerTCP FTP ActiveX clsid unicode access 31814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Dart.Ftp"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22Dart\.Ftp\x22|\x27Dart\.Ftp\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SecretKey\s*|.*(?P=v)\s*\.\s*SecretKey\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Dart\.Ftp\x22|\x27Dart\.Ftp\x27)\s*\)(\s*\.\s*SecretKey\s*|.*(?P=n)\s*\.\s*SecretKey)\s*=/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14780 WEB-ACTIVEX Dart Communications PowerTCP FTP ActiveX function call access 31814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|a|00|r|00|t|00|.|00|F|00|t|00|p|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)D\x00a\x00r\x00t\x00.\x00F\x00t\x00p\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)D\x00a\x00r\x00t\x00.\x00F\x00t\x00p\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14781 WEB-ACTIVEX Dart Communications PowerTCP FTP ActiveX function call unicode access 32814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15159 WEB-ACTIVEX Evans FTP ActiveX clsid access 32814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|E|00|8|00|6|00|4|00|D|00|3|00|E|00|-|00|3|00|E|00|6|00|A|00|-|00|4|00|8|00|F|00|0|00|-|00|8|00|8|00|A|00|F|00|-|00|C|00|E|00|A|00|E|00|E|00|3|00|2|00|2|00|F|00|9|00|F|00|D|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*7\x00E\x008\x006\x004\x00D\x003\x00E\x00-\x003\x00E\x006\x00A\x00-\x004\x008\x00F\x000\x00-\x008\x008\x00A\x00F\x00-\x00C\x00E\x00A\x00E\x00E\x003\x002\x002\x00F\x009\x00F\x00D\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15160 WEB-ACTIVEX Evans FTP ActiveX clsid unicode access 32814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EvansFTP.eFtpEz"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22EvansFTP\.eFtpEz(\.\d)?\x22|\x27EvansFTP\.eFtpEz(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*|.*(?P=v)\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EvansFTP\.eFtpEz(\.\d)?\x22|\x27EvansFTP\.eFtpEz(\.\d)?\x27)\s*\)(\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*|.*(?P=n)\s*\.\s*(RemoteAddress|ProxyPrefix|ProxyName|Password|ProxyBypassList|LoginName|CurrentDirectory)\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15161 WEB-ACTIVEX Evans FTP ActiveX function call access 32814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|v|00|a|00|n|00|s|00|F|00|T|00|P|00|.|00|e|00|F|00|t|00|p|00|E|00|z|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00v\x00a\x00n\x00s\x00F\x00T\x00P\x00.\x00e\x00F\x00t\x00p\x00E\x00z\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00v\x00a\x00n\x00s\x00F\x00T\x00P\x00.\x00e\x00F\x00t\x00p\x00E\x00z\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15162 WEB-ACTIVEX Evans FTP ActiveX function call unicode access 33842 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15368 WEB-ACTIVEX FathFTP ActiveX clsid access 33842 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|2|00|A|00|9|00|8|00|9|00|C|00|E|00|-|00|D|00|3|00|9|00|A|00|-|00|1|00|1|00|D|00|5|00|-|00|8|00|6|00|F|00|0|00|-|00|B|00|9|00|C|00|3|00|7|00|0|00|7|00|6|00|2|00|1|00|7|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x002\x00A\x009\x008\x009\x00C\x00E\x00-\x00D\x003\x009\x00A\x00-\x001\x001\x00D\x005\x00-\x008\x006\x00F\x000\x00-\x00B\x009\x00C\x003\x007\x000\x007\x006\x002\x001\x007\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15369 WEB-ACTIVEX FathFTP ActiveX clsid unicode access 33842 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FathFTP.FathFTPCtrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22FathFTP\.FathFTPCtrl(\.\d)?\x22|\x27FathFTP\.FathFTPCtrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=v)\s*\.\s*DeleteFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22FathFTP\.FathFTPCtrl(\.\d)?\x22|\x27FathFTP\.FathFTPCtrl(\.\d)?\x27)\s*\)(\s*\.\s*DeleteFile\s*|.*(?P=n)\s*\.\s*DeleteFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15370 WEB-ACTIVEX FathFTP ActiveX function call access 33842 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|a|00|t|00|h|00|F|00|T|00|P|00|.|00|F|00|a|00|t|00|h|00|F|00|T|00|P|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)F\x00a\x00t\x00h\x00F\x00T\x00P\x00.\x00F\x00a\x00t\x00h\x00F\x00T\x00P\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)F\x00a\x00t\x00h\x00F\x00T\x00P\x00.\x00F\x00a\x00t\x00h\x00F\x00T\x00P\x00C\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15371 WEB-ACTIVEX FathFTP ActiveX function call unicode access attempted-dos 2009-2521 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"ST -R"; nocase; content:"*/.."; within:20; distance:1; metadata:policy security-ips alert, service ftp; classtype:attempted-dos; 15932 FTP LIST globbing denial of service attack www.microsoft.com/technet/security/bulletin/MS09-053.mspx 10454 attempted-admin 2004-0536 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"STOR asd%nmv|0D 0A|"; fast_pattern:only; metadata:policy security-ips drop, service ftp; classtype:attempted-admin; 16077 SPECIFIC-THREATS Tripwire format string vulnerability ftp exploit attempt web-application-attack 2009-4444 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:established,to_server; content:"STOR"; depth:4; nocase; content:".asp|3B|."; distance:0; nocase; pcre:"/^STOR[^\n]+\.asp\x3B\./smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; 16357 FTP multiple extension code execution attempt misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PORT"; isdataat:50,relative; content:!"|0A|"; within:50; metadata:policy security-ips drop, service ftp; classtype:misc-attack; 17059 FTP Vermillion 1.31 vftpd port command memory corruption www.global-evolution.info/news/files/vftpd/vftpd.txt misc-activity 2004-1376 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server; content:"RETR|20 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 74 65 73 74 2F 70 6F 63 2E 61 61 61|"; metadata:policy security-ips drop, service ftp; classtype:misc-activity; 17446 SPECIFIC-THREATS Microsoft Internet Explorer FTP client directory traversal attempt 31879 attempted-user 2008-4726 tcp $EXTERNAL_NET any -> $HOME_NET 22 flow:to_server,established; content:"|C4 90 89 C8 19 AD BD 70 41 AB EF 40 55 31 B3 B8|"; offset:128; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17521 SPECIFIC-THREATS GoodTech SSH Server SFTP Processing Buffer Overflow 5328 attempted-admin 2009-2957 udp any any -> any 69 flow:to_server; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service tftp; classtype:attempted-admin; 1941 TFTP GET filename overflow attempt 18264 9675 misc-attack 2009-0351 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"LIST"; nocase; isdataat:120,relative; pcre:"/^LIST(?!\n)\s[^\n]{120}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; classtype:misc-attack; 2338 FTP LIST buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS99-003.mspx 7909 attempted-admin 2009-3023 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"NLST"; nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; classtype:attempted-admin; 2374 FTP NLST overflow attempt www.microsoft.com/technet/security/bulletin/MS09-053 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"STOR spyagent-log"; fast_pattern:only; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:successful-recon-limited; 5881 SPYWARE-PUT Keylogger spyagent runtime detect - ftp delivery www.spywareguide.com/product_show.php?id=22 trojan-activity tcp $HOME_NET 21 -> $EXTERNAL_NET any flow:from_server,established; content:"220 HellzAddiction FTP server."; depth:30; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6142 BACKDOOR hellzaddiction v1.0e runtime detection - ftp open www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"_WinSession Logger.clk"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 6208 SPYWARE-PUT Keylogger winsession runtime detection - ftp www3.ca.com/securityadvisor/pest/pest.aspx?id=453097713 trojan-activity tcp $HOME_NET 21 -> $EXTERNAL_NET any flow:from_server,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6288 BACKDOOR fictional daemon 4.4 runtime detection - ftp www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164 trojan-activity tcp $HOME_NET 23456 -> $EXTERNAL_NET any flow:from_server,established; content:"Welcome"; nocase; content:"To"; distance:0; nocase; content:"EvilFTP"; distance:0; nocase; pcre:"/^\d+\x2d\s+Welcome\s+To\s+EvilFTP\s+\x3a\x29\r\n/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6319 BACKDOOR evilftp runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=1929 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"STOR"; fast_pattern:only; pcre:"/^STOR\s+\x2E\x2F(kys|scr|Apps|Urls)[0-9]+\x2Etxt/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7185 SPYWARE-PUT Keylogger 007 spy software runtime detection - ftp www3.ca.com/securityadvisor/pest/pest.aspx?id=453082794 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 20 flow:from_server,established; content:"<title>"; nocase; content:"Actual"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"software"; distance:0; nocase; content:"report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\<title\>Actual\s+Spy\s+software\s+report\<|2F|title\>/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7504 SPYWARE-PUT Keylogger actualspy runtime detection - ftp-data www3.ca.com/securityadvisor/pest/pest.aspx?id=453086496 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/wwp/msg/1,,,00.html"; http_uri; content:"uin="; nocase; http_uri; content:"name="; nocase; http_uri; content:"Anal FTP"; http_uri; content:"send=yes"; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 7762 BACKDOOR analftp 0.1 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=59411 attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"79EAC9E3-BAF9-11CE-8C82-00AA004BA90B"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q3>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*79EAC9E3-BAF9-11CE-8C82-00AA004BA90B\s*}?\s*(?P=q3)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7934 WEB-ACTIVEX ftp Asychronous Pluggable Protocol Handler ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|3|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|00|8|00|2|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|4|00|B|00|A|00|9|00|0|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q4>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q4)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 7935 WEB-ACTIVEX ftp Asychronous Pluggable Protocol Handler ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS07-033.mspx trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 9996 flow:established,to_server; content:"cho off"; depth:7; nocase; content:"cmd.ftp"; distance:0; nocase; content:"_up.exe"; distance:0; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9341 SPECIFIC-THREATS sasser open ftp command shell www.sophos.com/virusinfo/analyses/w32sassera.html trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 1024: flow:to_server; content:"C|BB 0E|Gy3a38DM4|EC|5e|C2 0A 86 0B|Yde|02 EE|s|EB 18 0A B9|S9Cb|05|Zk|ED|F|29|cf|0D|dl|08|5u@|EB E7|8sm-95|23 AC|p+%|1D|3f|F1|s|FF 03|-|09 CD 00|q -i %s <|02 03 F2|get nSVC|80 C0 CA 96|/|29 D6|b|80 C0| |9E CF 24 BE|-|EB D6|w&k |A9|8Shar|F0 D6 80 DD|+g|00|l|00 EC|DTCo|24 D0|L|07|B|FA 13|j|EF|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 9402 SPECIFIC-THREATS welchia tftp propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99&tabid=2 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 20 flow:to_client,established; content:"version"; nocase; content:"key"; distance:0; nocase; pcre:"/^version\s+\d+\x2E\d+\s+key\x3a/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 9828 SPYWARE-PUT Keylogger paq keylog runtime detection - ftp www3.ca.com/securityadvisor/pest/pest.aspx?id=453098520 242 Server / Misc / FTP 20076 attempted-admin 2006-5000 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"XMD5"; nocase; isdataat:200,relative; pcre:"/^XMD5(?!\n)\s[^\n]{200}/smi"; metadata:service ftp; classtype:attempted-admin; 10188 FTP Wsftp XMD5 overflow attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"tftp.exe"; nocase; metadata:service http; classtype:web-application-activity; 1068 WEB-MISC tftp attempt 1471 web-application-activity 2000-0674 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ftp.pl"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1107 WEB-MISC ftp.pl access 10467 547 attempted-recon 1999-1078 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ws_ftp.ini"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1166 WEB-MISC ws_ftp.ini access denial-of-service 2007-3823 udp $EXTERNAL_NET any -> $HOME_NET 5151 flow:to_server; content:"|AB AA|"; byte_test:2,>,2123,0,relative,little; classtype:denial-of-service; 12076 DOS Ipswitch WS_FTP log server long unicode string secunia.com/advisories/26040 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,Theef210_TheefFTP; content:"Theef2.10_"; classtype:trojan-activity; 12238 BACKDOOR theef 2.10 runtime detection - ftp www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99 9237 bad-unknown tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:service ftp; classtype:bad-unknown; 1229 FTP CWD ... 2808 attempted-recon 2001-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/FtpSave.dll"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1230 WEB-MISC VirusWall FtpSave access 10733 2808 attempted-recon 2001-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/FtpSaveCSP.dll"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1234 WEB-MISC VirusWall FtpSaveCSP access 10733 2808 attempted-recon 2001-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/FtpSaveCVP.dll"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1235 WEB-MISC VirusWall FtpSaveCVP access 10733 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 20 flow:from_server,established; content:"version 4.0 key|3A 0D 0A|~~~~~~~~~~~~~~~~~~~~~~~~~~"; classtype:successful-recon-limited; 12379 SPYWARE-PUT Keylogger PaqKeylogger 5.1 runtime detection - ftp www.spywareguide.com/product_show.php?id=2709 successful-admin udp any any -> any 69 flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:service tftp; classtype:successful-admin; 1289 TFTP GET Admin.dll www.cert.org/advisories/CA-2001-26.html 3707 misc-attack 2001-0886 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"~"; content:"["; distance:0; metadata:service ftp; classtype:misc-attack; 1377 FTP wu-ftp bad file completion attempt [ 10821 8542 attempted-admin 2003-0772 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"STAT"; nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/smi"; classtype:attempted-admin; 1379 FTP STAT overflow attempt labs.defcom.com/adv/2001/def-2001-31.txt attempted-user 2008-2541 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_client,established; content:"227"; depth:3; pcre:"/\x28((\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+,\d+,\d+|\d+,(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+,\d+|\d+,\d+,(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+|\d+,\d+,\d+(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9])),\d+,\d+\x29/"; classtype:attempted-user; 13925 FTP Computer Associates eTrust Secure Content Manager PASV stack overflow attempt suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:service ftp; classtype:suspicious-login; 144 FTP ADMw0rm ftp login attempt successful-admin udp any any -> any 69 flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:service tftp; classtype:successful-admin; 1441 TFTP GET nc.exe successful-admin udp any any -> any 69 flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:service tftp; classtype:successful-admin; 1442 TFTP GET shadow successful-admin udp any any -> any 69 flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:service tftp; classtype:successful-admin; 1443 TFTP GET passwd bad-unknown udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:"|00 01|"; depth:2; metadata:service tftp; classtype:bad-unknown; 1444 TFTP Get 31563 suspicious-filename-detect 2008-4501 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RNTO"; depth:4; nocase; pcre:"/^rnto\s[^\s\x0d\x0a]*\x2e\x2e(\x2f|\x5c)/i"; classtype:suspicious-filename-detect; 14743 FTP RNTO directory traversal attempt attempted-admin 2001-0770 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; classtype:attempted-admin; 1529 FTP SITE overflow attempt 2120 attempted-admin 2001-0065 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:service ftp; classtype:attempted-admin; 1562 FTP SITE CHOWN overflow attempt 10579 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 666 flow:to_server,established; content:"FTPON"; classtype:misc-activity; 157 BACKDOOR BackConstruction 2.1 Client FTP Open Request misc-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; 158 BACKDOOR BackConstruction 2.1 Server FTP Open Reply 1471 web-application-attack 2000-0674 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ftp.pl?dir=../.."; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1612 WEB-MISC ftp.pl attempt 10467 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CMD"; nocase; isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/smi"; metadata:service ftp; classtype:attempted-admin; 1621 FTP CMD overflow attempt misc-attack 1999-0081 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RNFR "; fast_pattern:only; content:" ././"; nocase; metadata:service ftp; classtype:misc-attack; 1622 FTP RNFR ././ attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"MODE"; fast_pattern:only; pcre:"/^MODE\s+[^ABSC]{1}/msi"; metadata:service ftp; classtype:protocol-command-decode; 1623 FTP invalid MODE www.faqs.org/rfcs/rfc959.html protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PWD"; nocase; isdataat:190,relative; pcre:"/^PWD\s.{190}/smi"; metadata:service ftp; classtype:protocol-command-decode; 1624 FTP PWD overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SYST"; nocase; isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; classtype:protocol-command-decode; 1625 FTP SYST overflow attempt www.faqs.org/rfcs/rfc959.html attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/~ftp"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1662 WEB-MISC /~ftp access attempted-dos tcp any any -> any 21 flow:established,to_server; content:"USER"; nocase; pcre:"/USER\s{0,2}\x00/ims"; classtype:attempted-dos; 16697 FTP httpdx USER null byte denial of service www.exploit-db.com/exploits/11734 attempted-dos tcp any any -> any 21 flow:established,to_server; content:"PASS"; nocase; pcre:"/PASS\s{0,2}\x00/ims"; classtype:attempted-dos; 16698 FTP httpdx PASS null byte denial of service www.exploit-db.com/exploits/11734 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/home/ftp"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1670 WEB-MISC /home/ftp access 11032 9215 denial-of-service 2001-0421 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CWD"; fast_pattern:only; pcre:"/^CWD\s+~/smi"; metadata:service ftp; classtype:denial-of-service; 1672 FTP CWD ~ attempt 39183 attempted-dos tcp $EXTERNAL_NET 21 -> $HOME_NET any flow:to_client,established; content:"|22 22|"; pcre:"/^2\d{2}[^\n]*?\x22{2}/"; metadata:service ftp; classtype:attempted-dos; 16795 DOS Google Chrome FTP handling out-of-bounds array index denial of service attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"seclog"; fast_pattern:only; nocase; pcre:"/seclog_[a-z]{5}\d{4}_\d{10}\x2Ekcb/smi"; classtype:trojan-activity; 16806 BACKDOOR Backdoor.Win32.Qakbot.E - FTP upload seclog www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"ps_dump"; fast_pattern:only; pcre:"/ps_dump_[^_]+_[a-z]{5}\d{4}\x2Ekcb/smi"; classtype:trojan-activity; 16807 BACKDOOR Backdoor.Win32.Qakbot.E - FTP Upload ps_dump www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f 15998 attempted-admin 2005-4459 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:established,to_server; content:"EPRT "; nocase; isdataat:128,relative; pcre:"/^EPRT\x20[^\n]{128}/smi"; classtype:attempted-admin; 17329 FTP EPRT overflow attempt 8376 attempted-admin 2005-3683 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 1734 FTP USER overflow attempt 22489 web-application-attack 2007-0217 tcp $EXTERNAL_NET 21 -> $HOME_NET any flow:from_server,established; isdataat:1023; pcre:"/\d{3}\s+[^\n]{1019}/smi"; classtype:web-application-attack; 17367 FTP Microsoft Internet Explorer FTP Response Parsing Memory Corruption 30685 attempted-user 2008-4321 tcp $EXTERNAL_NET 21 -> $HOME_NET any flow:to_client,established; content:"257|20|"; pcre:"/^257\x20\S{257,}\x20/mi"; classtype:attempted-user; 17518 FTP FlashGet PWD command stack buffer overflow attempt policy-violation 2006-5584 udp any any -> $HOME_NET 69 flow:to_server; content:"|00 02|"; depth:2; content:"setup.exe|00|"; distance:0; nocase; metadata:service tftp; classtype:policy-violation; 17712 SPECIFIC-THREATS TFTP PUT Microsoft RIS filename overwrite attempt www.microsoft.com/technet/security/bulletin/ms06-077.mspx 4482 attempted-dos 2002-0073 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:service ftp; classtype:attempted-dos; 1777 FTP EXPLOIT STAT * dos attempt 10934 www.microsoft.com/technet/security/bulletin/MS02-018.mspx 4482 attempted-dos 2002-0073 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:service ftp; classtype:attempted-dos; 1778 FTP EXPLOIT STAT ? dos attempt 10934 www.microsoft.com/technet/security/bulletin/MS02-018.mspx trojan-activity tcp $HOME_NET any -> 212.26.42.47 9090 flow:to_server, established; content:"GET /AB HTTP/1.0"; classtype:trojan-activity; 18181 SPECIFIC-THREATS ProFTPd 1.3.3c backdoor activity xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/ trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"HELP ACIDBITCHES"; classtype:trojan-activity; 18182 SPECIFIC-THREATS ProFTPd 1.3.3c backdoor help access attempt xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/ attempted-dos 1999-0880 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:service ftp; classtype:attempted-dos; 1864 FTP SITE NEWER attempt 10319 5427 misc-attack 2002-0826 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:service ftp; classtype:misc-attack; 1888 FTP SITE CPWD overflow attempt 7950 attempted-admin 2002-0405 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CWD"; nocase; isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/smi"; metadata:service ftp; classtype:attempted-admin; 1919 FTP CWD overflow attempt 229 attempted-admin 1999-0800 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; classtype:attempted-admin; 1920 FTP SITE NEWER overflow attempt attempted-admin 2000-0040 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:service ftp; classtype:attempted-admin; 1921 FTP SITE ZIPCHK overflow attempt suspicious-filename-detect tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"authorized_keys"; metadata:service ftp; classtype:suspicious-filename-detect; 1927 FTP authorized_keys suspicious-filename-detect tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RETR"; nocase; content:"shadow"; metadata:service ftp; classtype:suspicious-filename-detect; 1928 FTP shadow retrieval attempt 819 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; classtype:attempted-admin; 1942 FTP RMDIR overflow attempt 1505 bad-unknown tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; 1971 FTP SITE EXEC format string attempt 9285 attempted-admin 2005-3683 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 1972 FTP PASS overflow attempt 9872 attempted-admin 2010-0625 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"MKD"; nocase; isdataat:150,relative; pcre:"/^MKD(?!\n)\s[^\n]{150}/smi"; metadata:service ftp; classtype:attempted-admin; 1973 FTP MKD overflow attempt 12108 www.microsoft.com/technet/security/bulletin/MS09-053.mspx 2972 attempted-admin 2001-0826 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 1974 FTP REST overflow attempt 11755 39041 attempted-admin 2010-0625 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 1976 FTP RMD overflow attempt 2618 protocol-command-decode 2002-1054 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; metadata:service ftp; classtype:protocol-command-decode; 1992 FTP LIST directory traversal attempt 11112 7674 protocol-command-decode 2003-0392 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; metadata:service ftp; classtype:protocol-command-decode; 2125 FTP CWD Root directory transversal attempt 11677 9800 misc-attack 2004-0277 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; metadata:service ftp; classtype:misc-attack; 2178 FTP USER format string attempt 11687 9800 misc-attack 2000-0699 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:service ftp; classtype:misc-attack; 2179 FTP PASS format string attempt 10490 8875 misc-attack 2003-0854 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"LIST"; fast_pattern:only; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; classtype:misc-attack; 2272 FTP LIST integer overflow attempt 11912 9262 misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"MKD"; fast_pattern:only; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; classtype:misc-attack; 2332 FTP MKD format string attempt 9262 misc-attack tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RENAME"; fast_pattern:only; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; classtype:misc-attack; 2333 FTP RENAME format string attempt 9072 suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 3535 flow:to_server,established; content:"USER"; nocase; content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi"; metadata:service ftp; classtype:suspicious-login; 2334 FTP Yak! FTP server default account login attempt 9159 attempted-dos tcp $EXTERNAL_NET any -> $HOME_NET 3535 flow:to_server,established; content:"RMD"; fast_pattern:only; pcre:"/^RMD\s+\x2f$/smi"; metadata:service ftp; classtype:attempted-dos; 2335 FTP RMD / attempt 8505 attempted-admin 2003-0380 udp any any -> any 69 flow:to_server; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:service tftp; classtype:attempted-admin; 2337 TFTP PUT filename overflow attempt 18264 7575 bad-unknown udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:"|00 00|"; depth:2; metadata:service tftp; classtype:bad-unknown; 2339 TFTP NULL command attempt 9675 attempted-admin 1999-0838 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:200,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; classtype:attempted-admin; 2340 FTP SITE CHMOD overflow attempt 12037 8668 attempted-admin 2000-0133 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"STOR"; nocase; isdataat:200,relative; pcre:"/^STOR(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 2343 FTP STOR overflow attempt 8704 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 2344 FTP XCWD overflow attempt 7909 attempted-admin 2001-1021 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"XMKD"; nocase; isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 2373 FTP XMKD overflow attempt 8315 attempted-admin 2005-3683 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RNTO"; nocase; isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 2389 FTP RNTO overflow attempt 8315 attempted-admin 2003-0466 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"STOU"; nocase; isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; classtype:attempted-admin; 2390 FTP STOU overflow attempt 8542 attempted-admin 2003-0772 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"APPE"; nocase; isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 2391 FTP APPE overflow attempt 8315 attempted-admin 2005-3683 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RETR"; nocase; isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 2392 FTP RETR overflow attempt 9751 attempted-admin 2004-0330 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"MDTM"; fast_pattern:only; pcre:"/^MDTM \d+[-+]\D/smi"; classtype:attempted-admin; 2416 FTP invalid MDTM command attempt 9800 string-detect 2005-2123 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:service ftp; classtype:string-detect; 2417 FTP format string attempt 9953 attempted-admin 2004-1883 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"ALLO"; nocase; isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 2449 FTP ALLO overflow attempt 14598 9751 attempted-admin 2004-0330 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 2546 FTP MDTM overflow attempt 12080 9800 attempted-admin 2004-1883 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RETR"; fast_pattern:only; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:service ftp; classtype:attempted-admin; 2574 FTP RETR format string attempt 14339 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RNFR"; nocase; isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:service ftp; classtype:attempted-admin; 3077 FTP RNFR overflow attempt 572 attempted-user 1999-0671 tcp $EXTERNAL_NET 21 -> $HOME_NET any flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; classtype:attempted-user; 308 EXPLOIT NextFTP client overflow suspicious-filename-detect tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:".forward"; metadata:service ftp; classtype:suspicious-filename-detect; 334 FTP .forward suspicious-filename-detect tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:".rhosts"; metadata:service ftp; classtype:suspicious-filename-detect; 335 FTP .rhosts bad-unknown 1999-0082 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:service ftp; classtype:bad-unknown; 336 FTP CWD ~root attempt 679 attempted-admin 1999-0789 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; classtype:attempted-admin; 337 FTP CEL overflow attempt 10009 126 misc-attack 1999-0017 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:service ftp; classtype:misc-attack; 3441 FTP PORT bounce attempt 10081 7825 attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"REST"; fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:service ftp; classtype:attempted-recon; 3460 FTP REST with numeric argument 1387 bad-unknown 2000-0573 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"INDEX"; distance:0; nocase; pcre:"/^SITE\s+INDEX\s[^\n]*?%[^\n]*?%/smi"; metadata:service ftp; classtype:bad-unknown; 3523 FTP SITE INDEX format string attempt 8375 attempted-admin 2003-0727 tcp $EXTERNAL_NET any -> $SQL_SERVERS 2100 flow:established,to_server; content:"UNLOCK"; depth:6; pcre:"/^UNLOCK\s+\S+\s+\S{100}/sm"; classtype:attempted-admin; 3526 ORACLE XDB FTP UNLOCK overflow attempt suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PASS ddd@|0A|"; metadata:service ftp; classtype:suspicious-login; 353 FTP adm scan 8375 attempted-user 2003-0727 tcp $EXTERNAL_NET any -> $HOME_NET 2100 flow:to_server,established; content:"pass"; nocase; isdataat:100,relative; pcre:"/^PASS\s+[^\n]{100}/smi"; metadata:service ftp; classtype:attempted-user; 3532 ORACLE ftp password buffer overflow attempt suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"pass -iss@iss"; metadata:service ftp; classtype:suspicious-login; 354 FTP iss scan suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"pass wh00t"; fast_pattern:only; metadata:service ftp; classtype:suspicious-login; 355 FTP pass wh00t suspicious-filename-detect tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"RETR"; nocase; content:"passwd"; metadata:service ftp; classtype:suspicious-filename-detect; 356 FTP passwd retrieval attempt suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"pass -cklaus"; metadata:service ftp; classtype:suspicious-login; 357 FTP piss scan www.mines.edu/fs_home/dlarue/cc/baby-doe.html suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"pass -saint"; metadata:service ftp; classtype:suspicious-login; 358 FTP saint scan suspicious-login tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"pass -satan"; metadata:service ftp; classtype:suspicious-login; 359 FTP satan scan 2052 bad-unknown 2001-0054 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:".%20."; fast_pattern:only; metadata:service ftp; classtype:bad-unknown; 360 FTP serv-u directory transversal 10565 2241 bad-unknown 1999-0955 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:service ftp; classtype:bad-unknown; 361 FTP SITE EXEC attempt 2240 bad-unknown 1999-0997 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; metadata:service ftp; classtype:bad-unknown; 362 FTP tar parameters 8375 misc-attack 2003-0727 tcp $EXTERNAL_NET any -> $HOME_NET 2100 flow:to_server,established; content:"TEST"; nocase; isdataat:100,relative; pcre:"/^TEST\s+[^\n]{100}/smi"; metadata:service ftp; classtype:misc-attack; 3630 ORACLE ftp TEST command buffer overflow attempt 8375 attempted-user 2003-0727 tcp $EXTERNAL_NET any -> $HOME_NET 2100 flow:to_server,established; content:"user"; nocase; isdataat:100,relative; pcre:"/^USER\s+[^\n]{100}/smi"; metadata:service ftp; classtype:attempted-user; 3631 ORACLE ftp user name buffer overflow attempt 13821 attempted-admin 2005-1812 udp any any -> any 69 flow:to_server; content:"|00 01|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; metadata:service tftp; classtype:attempted-admin; 3817 TFTP GET transfer mode overflow attempt 21301 attempted-admin 2006-6183 udp any any -> any 69 flow:to_server; content:"|00 02|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; metadata:service tftp; classtype:attempted-admin; 3818 TFTP PUT transfer mode overflow attempt unknown tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:from_client,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; classtype:unknown; 489 FTP no password bad-unknown tcp $HOME_NET 21 -> $EXTERNAL_NET any flow:from_server,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; 491 FTP Bad login bad-unknown 1999-0183 udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:"|00 02|"; depth:2; metadata:service tftp; classtype:bad-unknown; 518 TFTP Put bad-unknown 2002-1209 udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:".."; offset:2; metadata:service tftp; classtype:bad-unknown; 519 TFTP parent directory bad-unknown 1999-0183 udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:"|00 01|/"; depth:3; metadata:service tftp; classtype:bad-unknown; 520 TFTP root directory 19617 attempted-admin 2006-4318 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"SIZE"; nocase; isdataat:524,relative; pcre:"/^SIZE(?!\n)\s+[\x2F\x5C][^\x2F\x3A\x5C\n][^\n]{526}/smi"; metadata:service ftp; classtype:attempted-admin; 8415 FTP SIZE overflow attempt 2972 attempted-admin 2001-0826 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"HELP"; nocase; isdataat:200,relative; pcre:"/^HELP(?!\n)\s[^\n]{200}/smi"; classtype:attempted-admin; 8479 FTP HELP overflow attempt 18711 attempted-admin 2006-2226 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PORT "; nocase; isdataat:400,relative; pcre:"/^PORT\x20[^\n]{400}/smi"; classtype:attempted-admin; 8480 FTP PORT overflow attempt 2717 attempted-dos 2001-0334 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"NLST"; fast_pattern:only; pcre:"/^NLST\s+[^\n]*\x2a{10}/smi"; metadata:service ftp; classtype:attempted-dos; 8481 FTP Microsoft NLST * dos attempt www.microsoft.com/technet/security/bulletin/MS01-026.mspx 14935 attempted-admin 2005-3081 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:established,to_server; content:"SITE"; fast_pattern:only; pcre:"/^SITE\s*(\w+\s*)+\x7c/smi"; metadata:service ftp; classtype:attempted-admin; 8707 FTP WZD-FTPD SITE arbitrary command execution attempt 21301 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 69 flow:to_server; content:"|00|"; depth:1; pcre:"/^(\x01|\x02)[^\x00]+\x00[^\x00]{473}/Rs"; metadata:service tftp; classtype:attempted-admin; 9621 TFTP 3COM server transport mode buffer overflow attempt policy-violation 2006-5584 udp any any -> $HOME_NET 69 flow:to_server; content:"|00 02|"; depth:2; content:"images"; distance:0; nocase; content:"windows"; distance:0; nocase; content:"|00|"; distance:0; metadata:service tftp; classtype:policy-violation; 9638 TFTP PUT Microsoft RIS filename overwrite attempt www.microsoft.com/technet/security/bulletin/ms06-077.mspx attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"PASV"; nocase; isdataat:493,relative; pcre:"/^PASV(?!\n)\s[^\n]{493}/smi"; classtype:attempted-admin; 9792 FTP PASV overflow attempt www.milw0rm.com/exploits/2952 243 Server / Misc / SSH 2347 shellcode-detect 2001-0572 tcp $EXTERNAL_NET any -> $HOME_NET 22 flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; classtype:shellcode-detect; 1326 EXPLOIT ssh CRC32 overflow NOOP trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"MAININFO|7C|password|7C|ENU|7C|My"; depth:24; nocase; content:"server"; distance:0; nocase; content:"|3A|D|7C|"; distance:0; nocase; pcre:"/^MAININFO\x7Cpassword\x7CENU\x7CMy\s+server\s+\x3AD\x7C/smi"; classtype:trojan-activity; 13814 BACKDOOR passhax runtime detection - initial connection www.spywareguide.com/spydet_30090_passhax.html network-scan tcp $EXTERNAL_NET any -> $HOME_NET 22 flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; classtype:network-scan; 1638 SCAN SSH Version map attempt 20216 attempted-admin 2006-4924 tcp $EXTERNAL_NET any -> $HOME_NET 22 flow:to_server,established; content:"|00 03|"; depth:2; byte_test:4,>,200000,0,relative; classtype:attempted-admin; 17317 SPECIFIC-THREATS OpenSSH sshd Identical Blocks DOS attempt 5093 successful-admin 2002-0640 tcp $HOME_NET 22 -> $EXTERNAL_NET any flow:from_server,established; content:"*GOBBLE*"; metadata:service ssh; classtype:successful-admin; 1810 SPECIFIC-THREATS successful gobbles ssh exploit GOBBLE 5093 misc-attack 2002-0640 tcp $HOME_NET 22 -> $EXTERNAL_NET any flow:from_server,established; content:"uname"; metadata:service ssh; classtype:misc-attack; 1811 SPECIFIC-THREATS successful gobbles ssh exploit uname 11031 5093 misc-attack 2002-0639 tcp $EXTERNAL_NET any -> $HOME_NET 22 flow:to_server,established; content:"GOBBLES"; classtype:misc-attack; 1812 EXPLOIT gobbles SSH exploit attempt 11031 5287 misc-attack 2002-1059 tcp $EXTERNAL_NET 22 -> $HOME_NET any flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism"; classtype:misc-attack; 1838 EXPLOIT SSH server banner overflow 15822 24348 attempted-admin 2007-5005 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~"; nocase; pcre:"/^((\.\.\/|\.\.\\).*|(\.(exe|dll)))~~/Ri"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 12667 EXPLOIT CA BrightStor ARCServer malicious fileupload attempt 24348 attempted-admin 2007-3216 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxsGetBackupLog~~"; content:"~~"; distance:0; isdataat:260,relative; content:!"~~"; within:260; metadata:policy security-ips drop; classtype:attempted-admin; 12784 EXPLOIT CA ARCserve Backup for Laptops rsxGetBackupLog second argument overflow 24348 attempted-admin 2007-3216 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxsGetBackupComplete"; content:"~~"; isdataat:256,relative; content:!"~~"; within:256; metadata:policy security-ips drop; classtype:attempted-admin; 12785 EXPLOIT CA ARCserve Backup for Laptops rsxGetBackupComplete overflow attemp 24348 attempted-admin 2007-3216 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxsSetDataGrowthScheduleAndFilter"; content:"~~"; isdataat:256,relative; content:!"~~"; within:256; metadata:policy security-ips drop; classtype:attempted-admin; 12786 EXPLOIT CA ARCserve Backup for Laptops rxsSetDataGrowthScheduleAndFilter overflow attempt 24348 attempted-admin 2007-3216 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxsSetDefaultConfigName~~"; isdataat:976,relative; metadata:policy security-ips drop; classtype:attempted-admin; 12787 EXPLOIT CA ARCserve Backup for Laptops rxsSetDefaultConfigName overflow attempt 24348 attempted-admin 2007-3216 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxsSetDefaultConfigName~~"; isdataat:976,relative; metadata:policy security-ips drop; classtype:attempted-admin; 12788 EXPLOIT CA ARCserve Backup for Laptops rxsSetDefaultConfigName overflow attempt 15353 attempted-admin 2005-3116 tcp $EXTERNAL_NET any -> $HOME_NET 13701 flow:established,to_server; dsize:4; byte_test:4,>,84,0; metadata:policy security-ips drop; classtype:attempted-admin; 12904 EXPLOIT Veritas NetBackup vmd shared library buffer overflow attempt 25778 attempted-admin 2008-0638 udp $EXTERNAL_NET any -> $HOME_NET 3207 flow:to_server; content:"|FE FE|"; depth:2; byte_test:2,>,1024,2; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13552 EXPLOIT Symantec VERITAS Storage Foundation Suite buffer overflow attempt www.symantec.com/avcenter/security/Content/2008.02.20a.html 28616 attempted-admin 2008-1328 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; isdataat:90; content:" "; depth:2; byte_test:10, >, 80, 0, string, dec; pcre:"/^.{10}[0-9a-fA-f]{80}/"; metadata:policy security-ips drop; classtype:attempted-admin; 13800 EXPLOIT ARCServe LGServer service data overflow attempt attempted-admin 2005-0773 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 09 01|"; depth:4; offset:16; content:"|00 00 00 03|"; depth:4; offset:28; byte_test:4,>,1000,32; metadata:policy connectivity-ips drop, policy security-ips drop; classtype:attempted-admin; 13846 SPECIFIC-THREATS Veritas Backup Agent password overflow attempt attempted-admin 2007-2279 tcp $EXTERNAL_NET any -> $HOME_NET 4888 flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; nocase; content:"|00 00|"; within:2; distance:24; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 14741 EXPLOIT Symantec Veritas Foundation Service NULL service authentication attempt 30596 attempted-user 2008-3703 tcp $EXTERNAL_NET any -> $HOME_NET 4888 flow:to_server,established; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00|"; within:2; distance:34; metadata:policy balanced-ips drop, policy security-ips drop, service ident; classtype:attempted-user; 14768 MISC Symantec Veritas Storage Scheduler Service NULL Session auth bypass attempt 30472 attempted-admin 2008-3175 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:established,to_server; content:"00000000"; depth:8; content:"AAAAAAAAAAAAAA"; within:14; distance:4; metadata:policy security-ips drop; classtype:attempted-admin; 14773 SPECIFIC-THREATS CA ARCserve LGServer handshake buffer overflow attempt attempted-admin 2005-2715 tcp $EXTERNAL_NET any -> $HOME_NET 13722 flow:established,to_server; content:"%n"; fast_pattern:only; metadata:policy security-ips drop; classtype:attempted-admin; 15931 MISC Veritas NetBackup java user interface service format string attack attempt 28927 attempted-dos 2008-1979 tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:established,to_server; content:"h|00 00 00|"; depth:4; content:"|FF FF FF|s"; depth:4; offset:58; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16071 EXPLOIT CA ARCServe Backup Discovery Service denial of service attempt www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36440 31684 protocol-command-decode 2008-4399 tcp $EXTERNAL_NET any -> $HOME_NET 6504 flow:established,to_server; dce_iface:506b1890-14c8-11d1-bbc3-00805fa6962e; dce_opnum:548; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|24 02|"; within:2; distance:19; metadata:policy balanced-ips drop, policy security-ips drop, service dcerpc; classtype:protocol-command-decode; 17520 EXPLOIT CA ARCserve Backup DB Engine Denial of Service attempted-admin 2005-2715 tcp $EXTERNAL_NET any -> $HOME_NET 13722 flow:established,to_server; content:"%hn"; fast_pattern:only; metadata:policy security-ips drop; classtype:attempted-admin; 17706 MISC Veritas NetBackup java user interface service format string attack attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 13724 flow:to_server,established; content:"6|00|bpspsserver|00|"; flowbits:set,vnetd.bpspsserver.connection; flowbits:noalert; classtype:protocol-command-decode; 6010 EXPLOIT VERITAS NetBackup vnetd connection attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 13701 flow:to_server,established; byte_test:1,>,3,10,dec,string; byte_test:1,<,11,10,dec,string; flowbits:set,veritas.vmd.connect; flowbits:noalert; classtype:protocol-command-decode; 6404 EXPLOIT Veritas NetBackup Volume Manager connection attempt 244 Server / Misc / Backup 22365 attempted-dos 2007-0816 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; metadata:service sunrpc; classtype:attempted-dos; 10132 RPC portmap BrightStor ARCserve denial of service attempt 22365 attempted-dos 2007-0816 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; metadata:service sunrpc; classtype:attempted-dos; 10133 RPC portmap BrightStor ARCserve denial of service attempt 23209 rpc-portmap-decode 2007-1785 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 10482 RPC portmap CA BrightStor ARCserve tcp request 23209 rpc-portmap-decode 2007-1785 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 10483 RPC portmap CA BrightStor ARCserve udp request 23209 rpc-portmap-decode 2007-1785 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 BF|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:service sunrpc; classtype:rpc-portmap-decode; 10484 RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt 23209 rpc-portmap-decode 2007-1785 udp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 BF|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:service sunrpc; classtype:rpc-portmap-decode; 10485 RPC portmap CA BrightStor ARCserve udp procedure 191 attempt 23209 rpc-portmap-decode tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 E8|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:service sunrpc; classtype:rpc-portmap-decode; 13716 RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt 23209 rpc-portmap-decode udp $EXTERNAL_NET any -> $HOME_NET any content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 E8|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:service sunrpc; classtype:rpc-portmap-decode; 13717 RPC portmap CA BrightStor ARCserve udp procedure 232 attempt 23209 rpc-portmap-decode 2007-1785 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 EA|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:service sunrpc; classtype:rpc-portmap-decode; 13805 RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt 23209 rpc-portmap-decode 2007-1785 udp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 EA|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:service sunrpc; classtype:rpc-portmap-decode; 13806 RPC portmap CA BrightStor ARCserve udp procedure 234 attempt 30472 attempted-admin 2008-3175 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; byte_test:10,>,18,0,dec,string; byte_jump:10,0,dec,string,post_offset -1; content:"0"; within:1; pcre:"/^[0-9]{10}[0-9A-F]+$/i"; classtype:attempted-admin; 17045 EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt 30472 attempted-admin 2008-3175 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; byte_test:10,>,86,0,dec,string; pcre:"/^[0-9]{10}[0-9A-F]+$/i"; classtype:attempted-admin; 17046 EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt attempted-admin 2007-2772 tcp $EXTERNAL_NET any -> $HOME_NET 1339 flow:to_server, established; content:"|00 00 00 00 00 00 00 02 00 06 09 82 00 00 00 01 00 00 00 01|"; content:"|FF FF FF FF|"; distance:8; classtype:attempted-admin; 17643 EXPLOIT CA BrightStor ARCServe logger servie null-pointer dereference attempt 15353 attempted-admin 2005-3116 tcp $EXTERNAL_NET any -> $HOME_NET 13701 flow:established,to_server; content:"|64 00 00 0F 41 41 41 41|"; depth:8; classtype:attempted-admin; 17710 EXPLOIT Veritas NetBackup vmd shared library buffer overflow attempt 11974 attempted-admin 2004-1172 tcp $EXTERNAL_NET any -> $HOME_NET 6101 flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; within:1; distance:1; isdataat:72; content:!"|00|"; depth:66; offset:6; classtype:attempted-admin; 3084 EXPLOIT Veritas backup overflow attempt 12594 attempted-recon 2005-0491 tcp $EXTERNAL_NET any -> $HOME_NET 617 flow:established,to_server; content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; classtype:attempted-recon; 3453 MISC Arkeia client backup system info probe 12594 attempted-recon 2005-0491 tcp $EXTERNAL_NET any -> $HOME_NET 617 flow:established,to_server; content:"ARKFS|00|root|00|root"; fast_pattern:only; classtype:attempted-recon; 3454 MISC Arkeia client backup generic info probe 12594 attempted-user 2005-0491 tcp $EXTERNAL_NET any -> $HOME_NET 617 flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; classtype:attempted-user; 3457 EXPLOIT Arkeia backup client type 77 overflow attempt 17158 12594 attempted-user 2005-0491 tcp $EXTERNAL_NET any -> $HOME_NET 617 flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; classtype:attempted-user; 3458 EXPLOIT Arkeia backup client type 84 overflow attempt 12491 attempted-admin 2005-0260 udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; dsize:>966; classtype:attempted-admin; 3472 EXPLOIT ARCserve discovery service overflow 12536 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3474 EXPLOIT ARCserve backup TCP slot info msg client name overflow 12536 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; classtype:attempted-admin; 3475 EXPLOIT ARCserve backup TCP slot info msg client domain overflow 12536 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; classtype:attempted-admin; 3476 EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow 12536 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3477 EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow 12536 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; classtype:attempted-admin; 3478 EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow 12536 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 41523 flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3479 EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3480 EXPLOIT ARCserve backup UDP slot info msg client name overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; classtype:attempted-admin; 3481 EXPLOIT ARCserve backup UDP slot info msg client domain overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3482 EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; classtype:attempted-admin; 3483 EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3484 EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; classtype:attempted-admin; 3485 EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; classtype:attempted-admin; 3530 EXPLOIT ARCserve backup UDP msg 0x99 client name overflow 12536 attempted-admin udp $EXTERNAL_NET any -> $HOME_NET 41524 flow:to_server; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; classtype:attempted-admin; 3531 EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow 13102 attempted-admin 2005-1018 tcp $EXTERNAL_NET any -> $HOME_NET 6050 flow:to_server,established; content:"|E8 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; classtype:attempted-admin; 3658 EXPLOIT ARCserve universal backup agent option 1000 little endian buffer overflow attempt 18041 13102 attempted-admin 2005-1018 tcp $EXTERNAL_NET any -> $HOME_NET 6050 flow:to_server,established; content:"|03 E8|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; classtype:attempted-admin; 3659 EXPLOIT ARCserve universal backup agent option 1000 buffer overflow attempt 18041 13102 attempted-admin 2005-1018 tcp $EXTERNAL_NET any -> $HOME_NET 6050 flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; classtype:attempted-admin; 3660 EXPLOIT ARCserve universal backup agent option 00 little endian buffer overflow attempt 18041 13102 attempted-admin 2005-1018 tcp $EXTERNAL_NET any -> $HOME_NET 6050 flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; classtype:attempted-admin; 3661 EXPLOIT ARCserve universal backup agent option 00 buffer overflow attempt 18041 13102 attempted-admin 2005-1018 tcp $EXTERNAL_NET any -> $HOME_NET 6050 flow:to_server,established; content:"|03 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; classtype:attempted-admin; 3662 EXPLOIT ARCserve universal backup agent option 03 little endian buffer overflow attempt 18041 13102 attempted-admin 2005-1018 tcp $EXTERNAL_NET any -> $HOME_NET 6050 flow:to_server,established; content:"|00 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; classtype:attempted-admin; 3663 EXPLOIT ARCserve universal backup agent option 03 buffer overflow attempt 18041 attempted-admin 2005-0773 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 09 01|"; depth:4; offset:16; content:"|00 00 00 03|"; depth:4; offset:28; byte_jump:4,32; byte_test:4,>,1023,0,relative; classtype:attempted-admin; 3695 EXPLOIT Veritas Backup Agent password overflow attempt 14201 attempted-dos 2005-0772 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:12; byte_test:4,>,0,24; classtype:attempted-dos; 3696 EXPLOIT Veritas Backup Agent DoS attempt 14020 protocol-command-decode 2005-0771 tcp $EXTERNAL_NET any -> $HOME_NET 6106 flow:established,to_server; dce_iface:93841fd0-16ce-11ce-850d-02608c44967b; content:"|05 00|"; metadata:service dcerpc; classtype:protocol-command-decode; 3697 NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt www.idefense.com/application/poi/display?id=269&type=vulnerabilities 14551 suspicious-login 2005-2611 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; depth:8; offset:12; content:"|00 00 00 02|"; depth:4; offset:28; content:"root"; depth:4; offset:36; nocase; content:"|B4 B8 0F|& |5C|B4|03 FC AE EE 8F 91|=o"; distance:0; classtype:suspicious-login; 4126 EXPLOIT Veritas Backup Exec root connection attempt using default password hash 17264 attempted-admin 2006-0991 tcp $EXTERNAL_NET any -> $HOME_NET 13724 flow:to_server,established; flowbits:isset,vnetd.bpspsserver.connection; byte_test:4,>,1024,0; isdataat:1024; flowbits:unset,vnetd.bpspsserver.connection; classtype:attempted-admin; 6011 EXPLOIT VERITAS NetBackup vnetd buffer overflow attempt 17264 attempted-admin 2006-0989 tcp $EXTERNAL_NET any -> $HOME_NET 13701 flow:to_server,established; flowbits:isset,veritas.vmd.connect; pcre:"/(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S{157}|(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S{125}|(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S+\s+\S{1025}|(0x[ 0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S+\s+\S+\s+\S{117}|(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S{37}/i"; classtype:attempted-admin; 6405 EXPLOIT Veritas NetBackup Volume Manager overflow attempt 245 Server / Misc / TFTP 37343 attempted-user 2009-4181 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"|2F|OvCgi|2F|jovgraph.exe"; nocase; http_uri; content:"OVwSelection"; nocase; http_uri; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/sU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16712 WEB-MISC HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - GET 37343 attempted-user 2009-4181 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"|2F|OvCgi|2F|jovgraph.exe"; nocase; http_uri; content:"OVwSelection"; nocase; http_client_body; pcre:"/(arg=[^\x26]*?OVwSelection[^\x26]*?\x26.*?sel=[^\s\x26]{1023}|sel=[^\x26]{1023,}\x26.*?arg=[^\s\x26]*?OVwSelection)/sP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16713 WEB-MISC HP OpenView Network Node Manager ovwebsnmpsrv.exe OVwSelection buffer overflow attempt - POST 2417 attempted-admin 2001-0236 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:attempted-admin; 569 RPC snmpXdmi overflow attempt TCP 10659 www.cert.org/advisories/CA-2001-05.html 246 Server / Misc / SNMP 2417 rpc-portmap-decode 2001-0236 udp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 1279 RPC portmap snmpXdmi request UDP 10659 www.cert.org/advisories/CA-2001-05.html 18081 attempted-dos 2008-1673 udp $EXTERNAL_NET any -> $HOME_NET 161:162 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13773; 13773 DOS linux kernel snmp nat netfilter memory corruption attempt kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5 2417 attempted-admin 2001-0236 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:attempted-admin; 2045 RPC snmpXdmi overflow attempt UDP 10659 www.cert.org/advisories/CA-2001-05.html 2417 rpc-portmap-decode 2001-0236 tcp $EXTERNAL_NET any -> $HOME_NET 111 flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 593 RPC portmap snmpXdmi request TCP 10659 www.cert.org/advisories/CA-2001-05.html 24655 attempted-admin 2007-2442 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:attempted-admin; 13223 RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt 24655 attempted-admin 2007-2442 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:attempted-admin; 13268 RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt 23285 attempted-user 2007-0957 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:to_server,established; content:"|90|D|FA A0 B1|^C|07|m'|1C|m|08 02 D0 C7 C0|q|EE|q|E3|R|B3 1C|}K|DE D2 C1 F8 5C|{"; fast_pattern:only; metadata:policy security-ips drop, service ldap; classtype:attempted-user; 16207 WEB-MISC MIT Kerberos V% KAdminD klog_vsyslog server overflow attempt 36263 attempted-dos 2009-3111 udp $EXTERNAL_NET any -> $HOME_NET [1645,1812] flow:to_server; content:"|01|"; depth:1; content:"E|02|"; within:2; distance:19; metadata:policy security-ips drop, service radius; classtype:attempted-dos; 16209 DOS FreeRADIUS RADIUS server rad_decode remote denial of service attempt attempted-admin 2005-1174 tcp $EXTERNAL_NET any -> $HOME_NET 88 flow:established, to_server; content:"|30 09 A0 03 02 01 01 A1 02 30 00 A2 0D 1B 0B 65 78 61 6D|"; metadata:policy security-ips drop, service kerberos; classtype:attempted-admin; 17273 SPECIFIC-THREATS MIT Kerberos V5 KDC krb5_unparse_name overflow attempt secunia.com/advisories/16041/ attempted-admin 2005-1175 udp $EXTERNAL_NET any -> $HOME_NET 88 flow:to_server; content:"|30 09 A0 03 02 01 01 A1 02 30 00 A2 0D 1B 0B 65 78 61 6D|"; metadata:policy security-ips drop, service kerberos; classtype:attempted-admin; 17274 SPECIFIC-THREATS MIT Kerberos V5 KDC krb5_unparse_name overflow attempt secunia.com/advisories/16041/ 34409 attempted-admin 2009-0846 udp $EXTERNAL_NET any -> $HOME_NET 88 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17741, service kerberos, policy balanced-ips drop, policy security-ips drop; 17741 EXPLOIT MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt 247 Server / Misc / Authentication 24657 attempted-admin 2007-2443 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; byte_test:4,>,0,20,relative; content:"|00 00 00 01|"; within:4; distance:16; byte_test:4,>,2147483647,8,relative; metadata:service sunrpc; classtype:attempted-admin; 12046 RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt 24655 attempted-admin 2007-2442 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:service sunrpc; classtype:attempted-admin; 12075 RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt 25534 attempted-admin 2007-3999 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 00 00 06|"; within:4; distance:16; byte_test:4,>,128,0,relative; metadata:service sunrpc; classtype:attempted-admin; 12424 RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt 24657 rpc-portmap-decode 2007-2443 tcp $EXTERNAL_NET any -> $HOME_NET 749 flow:established,to_server; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 00 00 01|"; within:4; distance:16; byte_test:4,>,2147483647,8,relative,big; classtype:rpc-portmap-decode; 12708 RPC MIT Kerberos kadmind auth buffer overflow attempt attempted-dos 2010-0035 tcp $EXTERNAL_NET any -> $HOME_NET 88 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16394, service kerberos; 16394 DOS Active Directory Kerberos referral TGT renewal DoS attempt www.microsoft.com/technet/security/bulletin/MS10-014.mspx 14239 attempted-admin 2005-1689 tcp $EXTERNAL_NET any -> $HOME_NET 543 flow:established,to_server; content:"|00|"; depth:1; content:"KRB5_SENDAUTH_"; depth:14; offset:5; fast_pattern; content:!"V1.0"; within:4; classtype:attempted-admin; 17243 EXPLOIT MIT Kerberos V5 krb5_recvauth double free attempt attempted-admin 2003-0072 udp $EXTERNAL_NET any -> $HOME_NET 88 flow:to_server; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; classtype:attempted-admin; 2578 EXPLOIT kerberos principal name overflow UDP 11512 web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt attempted-admin 2003-0072 tcp $EXTERNAL_NET any -> $HOME_NET 88 flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; classtype:attempted-admin; 2579 EXPLOIT kerberos principal name overflow TCP 11512 web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt 12759 attempted-admin 2005-0699 udp $EXTERNAL_NET any -> $HOME_NET 699 flow:to_server; content:"|01|"; depth:1; content:"|01 01 1F|"; depth:3; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26)/smi"; classtype:attempted-admin; 3538 EXPLOIT RADIUS registration MSID overflow attempt 19120 12759 attempted-admin 2005-0699 udp $EXTERNAL_NET any -> $HOME_NET 699 flow:to_server; content:"|01 01 1F|"; depth:3; offset:28; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26)/smi"; classtype:attempted-admin; 3539 EXPLOIT RADIUS MSID overflow attempt 19120 12759 attempted-admin 2005-0699 udp $EXTERNAL_NET any -> $HOME_NET 699 flow:to_server; content:"|01|"; depth:1; content:"|01 01 1A|"; depth:3; offset:32; content:"|00 00 15 9F|"; depth:4; offset:36; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26).{15}(\x0A|\x34)/smi"; classtype:attempted-admin; 3540 EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt 19120 12759 attempted-admin 2005-0699 udp $EXTERNAL_NET any -> $HOME_NET 699 flow:to_server; content:"|01 01 1A|"; depth:3; offset:28; content:"|00 00 15 9F|"; depth:4; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26).{15}(\x0A|\x34)/smi"; classtype:attempted-admin; 3541 EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt 19120 attempted-admin 2004-0396 tcp $EXTERNAL_NET any -> $HOME_NET 2401 flow:to_server,established; content:"Event"; nocase; content:"ac1db1tch3z/blackhat4life"; metadata:policy security-ips drop; classtype:attempted-admin; 13616 SPECIFIC-THREATS CVS Argument overflow 248 Server / Misc / CVS attempted-admin 2004-0396 tcp $EXTERNAL_NET any -> $HOME_NET 2401 flow:to_server,established; content:"Argument"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; classtype:attempted-admin; 13614 EXPLOIT CVS Argument overflow attempt attempted-admin 2004-0396 tcp $EXTERNAL_NET any -> $HOME_NET 2401 flow:to_server,established; content:"Event"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; classtype:attempted-admin; 13615 EXPLOIT CVS Argument overflow attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/CVS/Entries"; http_uri; metadata:service http; classtype:web-application-activity; 1551 WEB-MISC /CVS/Entries access 11032 web-application-activity 2000-0670 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cvsweb/version"; http_uri; metadata:service http; classtype:web-application-activity; 1552 WEB-MISC cvsweb version access 10465 10499 attempted-admin 2004-0416 tcp $EXTERNAL_NET any -> $HOME_NET [514,1999,2401] flow:to_server,established; content:"Argumentx"; fast_pattern:only; pcre:!"/^Argument[^x\x0a]+\x0aArgumentx/mi"; classtype:attempted-admin; 15971 EXPLOIT CVS Argumentx command double free attempt misc-attack tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"E Fatal error, aborting."; fast_pattern:only; content:"|3A| no such user"; classtype:misc-attack; 2008 MISC CVS invalid user authentication response misc-attack tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; fast_pattern:only; classtype:misc-attack; 2009 MISC CVS invalid repository response 6650 misc-attack 2003-0015 tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; fast_pattern:only; classtype:misc-attack; 2010 MISC CVS double free exploit attempt response 11385 6650 misc-attack 2003-0015 tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; fast_pattern:only; classtype:misc-attack; 2011 MISC CVS invalid directory response 11385 misc-attack tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"E protocol error|3A| Root request missing"; fast_pattern:only; classtype:misc-attack; 2012 MISC CVS missing cvsroot response misc-attack tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"cvs server|3A| cannot find module"; fast_pattern:only; content:"error"; distance:1; classtype:misc-attack; 2013 MISC CVS invalid module response 9178 misc-attack 2003-0977 tcp $HOME_NET 2401 -> $EXTERNAL_NET any flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; fast_pattern:only; classtype:misc-attack; 2317 MISC CVS non-relative path error response 11947 9178 misc-attack 2003-0977 tcp $EXTERNAL_NET any -> $HOME_NET 2401 flow:to_server,established; content:"Argument"; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; classtype:misc-attack; 2318 MISC CVS non-relative path access attempt 11947 10499 misc-attack 2004-0417 tcp $EXTERNAL_NET any -> $HOME_NET 2401 flow:to_server,established; content:"Max-dotdot"; fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; classtype:misc-attack; 2583 MISC CVS Max-dotdot integer overflow attempt 13217 attempted-dos 2005-0753 tcp $EXTERNAL_NET any -> $HOME_NET 514 flow:to_server,established; content:"|0A|annotate|0A|"; fast_pattern:only; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; classtype:attempted-dos; 3651 EXPLOIT CVS rsh annotate revision overflow attempt 18097 ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 13217 attempted-dos 2005-0753 tcp $EXTERNAL_NET any -> $HOME_NET 2401 flow:to_server,established; content:"|0A|annotate|0A|"; fast_pattern:only; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; classtype:attempted-dos; 3652 EXPLOIT CVS pserver annotate revision overflow attempt 18097 ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 300 Client attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"auth=12345678&login=+++Login+++"; nocase; metadata:policy security-ips alert; classtype:attempted-admin; 10123 SPECIFIC-THREATS PA168 chipset based IP phone default password attempt www.procheckup.com/Vulner_PR0614.php 22585 attempted-user 2007-0325 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"08D75BB0-D2B5-11D1-88FC-0080C859833B"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*08D75BB0-D2B5-11D1-88FC-0080C859833B\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 10173 WEB-ACTIVEX Trend Micro OfficeScan Client ActiveX clsid access 22585 attempted-user 2007-0325 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|8|00|D|00|7|00|5|00|B|00|B|00|0|00|-|00|D|00|2|00|B|00|5|00|-|00|1|00|1|00|D|00|1|00|-|00|8|00|8|00|F|00|C|00|-|00|0|00|0|00|8|00|0|00|C|00|8|00|5|00|9|00|8|00|3|00|3|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x008\x00D\x007\x005\x00B\x00B\x000\x00-\x00D\x002\x00B\x005\x00-\x001\x001\x00D\x001\x00-\x008\x008\x00F\x00C\x00-\x000\x000\x008\x000\x00C\x008\x005\x009\x008\x003\x003\x00B\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 10174 WEB-ACTIVEX Trend Micro OfficeScan Client ActiveX clsid unicode access 22585 attempted-user 2007-0325 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"SetupINICtrl"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22SetupINICtrl\x22|\x27SetupINICtrl\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22SetupINICtrl\x22|\x27SetupINICtrl\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10175 WEB-ACTIVEX Trend Micro OfficeScan Client ActiveX function call access trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 32418 flow:to_server,established; content:"PSWD/GET"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10445 BACKDOOR acidbattery 1.0 runtime detection - get password www3.ca.com/securityadvisor/pest/pest.aspx?id=109 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"18A295DA-088E-42D1-BE31-5028D7F9B965"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B965\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile))/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 11181 WEB-ACTIVEX Excel Viewer ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|A|00|2|00|9|00|5|00|D|00|A|00|-|00|0|00|8|00|8|00|E|00|-|00|4|00|2|00|D|00|1|00|-|00|B|00|E|00|3|00|1|00|-|00|5|00|0|00|2|00|8|00|D|00|7|00|F|00|9|00|B|00|9|00|6|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x008\x00A\x002\x009\x005\x00D\x00A\x00-\x000\x008\x008\x00E\x00-\x004\x002\x00D\x001\x00-\x00B\x00E\x003\x001\x00-\x005\x000\x002\x008\x00D\x007\x00F\x009\x00B\x009\x006\x005\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 11182 WEB-ACTIVEX Excel Viewer ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Excel.OActrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22Excel\.OActrl(\.\d)?\x22|\x27Excel\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|HttpDownloadFile|Save|SaveWebFile|OpenWebFile)\s*)/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 11183 WEB-ACTIVEX Excel Viewer ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|x|00|c|00|e|00|l|00|.|00|O|00|A|00|c|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00x\x00c\x00e\x00l\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00x\x00c\x00e\x00l\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 11184 WEB-ACTIVEX Excel Viewer ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-02-excelviewerocx-v-31-multiple.html 22743 denial-of-service 2007-1005 tcp $EXTERNAL_NET any -> $HOME_NET 9191 flow:established,to_server; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,128,relative, little; metadata:policy security-ips drop; classtype:denial-of-service; 11186 DOS CA eTrust key handling dos -- password 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"97AF4A45-49BE-4485-9F55-91AB40F22BF2"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q14)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q15>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F22BF2\s*}?\s*(?P=q15)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:policy balanced-ips drop, policy security-ips alert, service http; classtype:attempted-user; 11187 WEB-ACTIVEX Word Viewer ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|7|00|A|00|F|00|4|00|A|00|4|00|5|00|-|00|4|00|9|00|B|00|E|00|-|00|4|00|4|00|8|00|5|00|-|00|9|00|F|00|5|00|5|00|-|00|9|00|1|00|A|00|B|00|4|00|0|00|F|00|2|00|2|00|B|00|F|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q16>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x00A\x00F\x004\x00A\x004\x005\x00-\x004\x009\x00B\x00E\x00-\x004\x004\x008\x005\x00-\x009\x00F\x005\x005\x00-\x009\x001\x00A\x00B\x004\x000\x00F\x002\x002\x00B\x00F\x002\x00(}\x00)?(?P=q16)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 11188 WEB-ACTIVEX Word Viewer ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OA.OActrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)\s*\(/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 11189 WEB-ACTIVEX Word Viewer ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html 33243 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|A|00|.|00|O|00|A|00|c|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q17>\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q17)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q18>\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q18)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 11190 WEB-ACTIVEX Word Viewer ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-03-wordviewerocx-32-multiple_03.html attempted-user 2007-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|95 00|"; isdataat:55,relative; pcre:"/^.{3}(\x00[^\x00]|[^\x00]\x00|[^\x00][^\x00]){25}/Rs"; metadata:policy security-ips drop; classtype:attempted-user; 11258 WEB-CLIENT Excel Malformed Named Graph Information unicode overflow www.microsoft.com/technet/security/bulletin/ms07-023.mspx attempted-user 2007-0215 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.xls; content:"|95 00|"; isdataat:133,relative; pcre:"/^(.{92}[^\x00]{41}|.{148}[^\x00]{41}|.{172}[^\x00]{41}|.{212}[^\x00]{41}|.{252}[^\x00]{22}|.{272}[^\x00]{22}|.{292}[^\x00]{22}|.{312}[^\x00]{22}|.{332}[^\x00]{22})/Rs"; metadata:policy security-ips drop; classtype:attempted-user; 11290 WEB-CLIENT Excel malformed named graph information ascii overflow www.microsoft.com/technet/security/bulletin/ms07-023.mspx misc-activity 2007-0934 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; fast_pattern:only; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x01-\x06\x0b]|\x00\x00[\x01-\x06\x0b][^\x00])/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 11836 MISC Visio version number anomaly www.microsoft.com/technet/security/bulletin/MS07-030.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; flowbits:set,Theef210_Connectionwithnopassword; flowbits:noalert; classtype:trojan-activity; 12233 BACKDOOR theef 2.10 runtime detection - connect with no password trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,Theef210_Connectionwithpassword; flowbits:noalert; classtype:trojan-activity; 12235 BACKDOOR theef 2.10 runtime detection - connect with password 23826 attempted-user 2007-1747 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.xls; content:"`|10|"; byte_test:2,>,32767,6,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 12256 WEB-CLIENT Excel malformed FBI record www.microsoft.com/technet/security/bulletin/ms07-023.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".xlw"; nocase; http_uri; pcre:"/\x2Exlw([\?\x5c\x2f]|$)/smiU"; flowbits:set,xlw.download; flowbits:noalert; classtype:misc-activity; 12285 WEB-CLIENT Excel Workspace file download sc.openoffice.org/excelfileformat.pdf 31235 attempted-user 2007-5660 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|W|00|U|00|S|00|W|00|e|00|b|00|A|00|g|00|e|00|n|00|t|00|.|00|W|00|e|00|b|00|A|00|g|00|e|00|n|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)D\x00W\x00U\x00S\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00.\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)D\x00W\x00U\x00S\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00.\x00W\x00e\x00b\x00A\x00g\x00e\x00n\x00t\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12703 WEB-ACTIVEX Macrovision InstallShield Update Service ActiveX function call unicode access support.installshield.com/kb/view.asp?articleid=Q113602 27279 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FCED4482-7CCB-4E6F-86C9-DCB22B52843C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCED4482-7CCB-4E6F-86C9-DCB22B52843C\s*}?\s*(?P=q5)(\s|>).*(?P=id1)\s*\.\s*(AddFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FCED4482-7CCB-4E6F-86C9-DCB22B52843C\s*}?\s*(?P=q6)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(AddFile))\s*\(/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13325 WEB-ACTIVEX Macrovision FLEXnet Connect ActiveX clsid access 27279 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|C|00|E|00|D|00|4|00|4|00|8|00|2|00|-|00|7|00|C|00|C|00|B|00|-|00|4|00|E|00|6|00|F|00|-|00|8|00|6|00|C|00|9|00|-|00|D|00|C|00|B|00|2|00|2|00|B|00|5|00|2|00|8|00|4|00|3|00|C|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q7>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13326 WEB-ACTIVEX Macrovision FLEXnet Connect ActiveX clsid unicode access 27279 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MVSNClientDownloadManager61Lib.DownloadManager"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22MVSNClientDownloadManager61Lib\.DownloadManager\x22|\x27MVSNClientDownloadManager61Lib\.DownloadManager\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*AddFile\s*|.*(?P=v)\s*\.\s*AddFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22MVSNClientDownloadManager61Lib\.DownloadManager\x22|\x27MVSNClientDownloadManager61Lib\.DownloadManager\x27)\s*\)(\s*\.\s*AddFile\s*|.*(?P=n)\s*\.\s*AddFile\s*)\s*\(/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13327 WEB-ACTIVEX Macrovision FLEXnet Connect ActiveX function call access 27279 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"M|00|V|00|S|00|N|00|C|00|l|00|i|00|e|00|n|00|t|00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|6|00|1|00|L|00|i|00|b|00|.|00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|M|00|a|00|n|00|a|00|g|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q8>\x22|\x27|)M\x00V\x00S\x00N\x00C\x00l\x00i\x00e\x00n\x00t\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x006\x001\x00L\x00i\x00b\x00.\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q8)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q9>\x22|\x27|)M\x00V\x00S\x00N\x00C\x00l\x00i\x00e\x00n\x00t\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x006\x001\x00L\x00i\x00b\x00.\x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00M\x00a\x00n\x00a\x00g\x00e\x00r\x00(?P=q9)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 13328 WEB-ACTIVEX Macrovision FLEXnet Connect ActiveX function call unicode access attempted-user 2008-0111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|13571, service http, policy security-ips drop; 13571 WEB-CLIENT Microsoft Excel dval record arbitrary code excecution attempt www.microsoft.com/technet/security/bulletin/MS08-014.mspx attempted-user 2008-1090 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dxf; metadata: engine shared, soid 3|13665, service http, policy balanced-ips drop, policy security-ips alert; 13665 WEB-CLIENT Microsoft Visio DXF file invalid memory allocation exploit attempt www.microsoft.com/technet/security/bulletin/MS08-019.mspx attempted-user 2008-1434 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|13790, service http, policy security-ips drop; 13790 WEB-CLIENT Microsoft Word malformed css remote code execution attempt www.microsoft.com/technet/security/bulletin/MS08-026.mspx attempted-user 2008-1091 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.rtf; metadata: engine shared, soid 3|13803, service http, policy security-ips drop; 13803 WEB-CLIENT RTF control word overflow attempt www.microsoft.com/technet/security/bulletin/ms08-026.mspx attempted-user 2008-3005 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|13973, service http, policy balanced-ips drop, policy security-ips drop; 13973 WEB-CLIENT Microsoft Excel format record code execution attempt www.microsoft.com/technet/security/Bulletin/MS08-043.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".eps"; nocase; http_uri; flowbits:set,http.eps.download; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 13983 WEB-CLIENT Microsoft Office eps file download 4449 attempted-user 2002-0727 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x000\x000\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14628 WEB-ACTIVEX Office 2000 and 2002 Web Components Chart ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS02-044.mspx 4449 attempted-user 2002-0727 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|2|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x002\x000\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14629 WEB-ACTIVEX Office 2000 and 2002 Web Components PivotTable ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS02-044.mspx 4449 attempted-user 2002-0727 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|3|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x003\x000\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14630 WEB-ACTIVEX Office 2000 and 2002 Web Components Data Source Control ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS02-044.mspx attempted-user 2008-3471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|14641, service http, policy balanced-ips drop, policy security-ips drop; 14641 WEB-CLIENT Microsoft Excel invalid FRTWrapper record buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-057.mspx attempted-user 2008-3477 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|14642, service http, policy balanced-ips drop, policy security-ips drop; 14642 WEB-CLIENT Microsoft Excel file with embedded ActiveX control www.microsoft.com/technet/security/bulletin/MS08-057.mspx 31235 attempted-user 2008-2470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5b7524c8-2446-40e9-9474-94a779dba224"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14764 WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX clsid access 31235 attempted-user 2008-2470 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14765 WEB-ACTIVEX Macrovision InstallShield Update Service Agent ActiveX function call 31987 attempted-user 2008-4922 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4A46B8CD-F7BD-11D4-B1D8-000102290E7C\s*}?\s*(?P=q6)(\s|>).*(?P=id1)\s*\.\s*(ImageURL)|<object\s*[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*4A46B8CD-F7BD-11D4-B1D8-000102290E7C\s*}?\s*(?P=q7)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(ImageURL))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14997 WEB-ACTIVEX DjVu MSOffice Converter ActiveX clsid access 31987 attempted-user 2008-4922 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|A|00|4|00|6|00|B|00|8|00|C|00|D|00|-|00|F|00|7|00|B|00|D|00|-|00|1|00|1|00|D|00|4|00|-|00|B|00|1|00|D|00|8|00|-|00|0|00|0|00|0|00|1|00|0|00|2|00|2|00|9|00|0|00|E|00|7|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q8>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x00A\x004\x006\x00B\x008\x00C\x00D\x00-\x00F\x007\x00B\x00D\x00-\x001\x001\x00D\x004\x00-\x00B\x001\x00D\x008\x00-\x000\x000\x000\x001\x000\x002\x002\x009\x000\x00E\x007\x00C\x00(}\x00)?(?P=q8)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 14998 WEB-ACTIVEX DjVu MSOffice Converter ActiveX clsid unicode access attempted-user 2008-4027 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15083, service http, policy security-ips drop; 15083 EXPLOIT Microsoft Word .rtf file double free attempt www.microsoft.com/technet/security/bulletin/MS08-072.mspx attempted-user 2008-4256 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15088, service http, policy security-ips drop; 15088 WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4256 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15090, service http, policy security-ips drop; 15090 WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15092, service http, policy security-ips drop; 15092 WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15094, service http, policy security-ips drop; 15094 WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4253 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15096, service http, policy balanced-ips drop, policy security-ips drop; 15096 WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4253 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15098, service http, policy balanced-ips drop, policy security-ips drop; 15098 WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15100, service http, policy balanced-ips drop, policy security-ips drop; 15100 WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15102, service http, policy balanced-ips drop, policy security-ips drop; 15102 WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15104, service http, policy balanced-ips drop, policy security-ips drop; 15104 WEB-CLIENT Visual Basic 6.0 malformed AVI buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-070.mspx misc-attack 2008-4025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|15106, service http, policy balanced-ips drop, policy security-ips drop; 15106 WEB-CLIENT Microsoft Word .rtf file integer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-072.mspx attempted-user 2008-4031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.rtf; metadata: engine shared, soid 3|15107, policy balanced-ips drop, policy security-ips drop; 15107 WEB-CLIENT Microsoft Word .rtf file stylesheet buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-072.mspx attempted-admin 2008-4032 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15108, service http, policy balanced-ips drop, policy security-ips drop; 15108 WEB-CLIENT Microsoft Office Sharepoint Server elevation of privilege exploit attempt www.microsoft.com/technet/security/bulletin/MS08-077.mspx attempted-user 2008-4251 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15118, service http, policy security-ips drop; 15118 WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4251 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15120, service http, policy security-ips drop; 15120 WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-1089 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|10|@|DE|naaa|87|a|17|@|DE FD F2 F1 09|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15163 SPECIFIC-THREATS Microsoft Visio Object Header Buffer Overflow attempt 33245 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"97AF4A45-49BE-4485-9F55-91AB40F288F2"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*97AF4A45-49BE-4485-9F55-91AB40F288F2\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile|Open))\s*\(/siO"; metadata:policy balanced-ips drop, policy security-ips alert, service http; classtype:attempted-user; 15230 WEB-ACTIVEX Office Viewer 2 ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 33245 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"9|00|7|00|A|00|F|00|4|00|A|00|4|00|5|00|-|00|4|00|9|00|B|00|E|00|-|00|4|00|4|00|8|00|5|00|-|00|9|00|F|00|5|00|5|00|-|00|9|00|1|00|A|00|B|00|4|00|0|00|F|00|2|00|8|00|8|00|F|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q26>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*9\x007\x00A\x00F\x004\x00A\x004\x005\x00-\x004\x009\x00B\x00E\x00-\x004\x004\x008\x005\x00-\x009\x00F\x005\x005\x00-\x009\x001\x00A\x00B\x004\x000\x00F\x002\x008\x008\x00F\x002\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15231 WEB-ACTIVEX Office Viewer 2 ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 33453 attempted-user 2009-0301 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A7D9CCE-211A-4654-9449-718F71ED9644\s*}?\s*(?P=q24)(\s|>).*(?P=id1)\s*\.\s*(SaveFile|ExportToXML)|<object\s*[^>]*\s*classid\s*=\s*(?P<q25>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2A7D9CCE-211A-4654-9449-718F71ED9644\s*}?\s*(?P=q25)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\.(SaveFile|ExportToXML))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15282 WEB-ACTIVEX FlexCell Grid ActiveX clsid access 33453 attempted-user 2009-0301 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|A|00|7|00|D|00|9|00|C|00|C|00|E|00|-|00|2|00|1|00|1|00|A|00|-|00|4|00|6|00|5|00|4|00|-|00|9|00|4|00|4|00|9|00|-|00|7|00|1|00|8|00|F|00|7|00|1|00|E|00|D|00|9|00|6|00|4|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q26>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00A\x007\x00D\x009\x00C\x00C\x00E\x00-\x002\x001\x001\x00A\x00-\x004\x006\x005\x004\x00-\x009\x004\x004\x009\x00-\x007\x001\x008\x00F\x007\x001\x00E\x00D\x009\x006\x004\x004\x00(}\x00)?(?P=q26)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15283 WEB-ACTIVEX FlexCell Grid ActiveX clsid unicode access misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"GET"; nocase; http_method; content:".vsd"; nocase; http_uri; flowbits:set, visio.request; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 15294 WEB-CLIENT Microsoft Visio file download request attempted-user 2009-0097 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,visio.request; metadata: engine shared, soid 3|15298, service http, policy balanced-ips drop, policy security-ips drop; 15298 WEB-CLIENT Microsoft Visio could allow remote code execution www.microsoft.com/technet/security/bulletin/MS09-005.mspx 33660 attempted-user 2009-0096 tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any gid:3; classtype:attempted-user; flowbits:isset,visio.request; metadata: engine shared, soid 3|15299, service http, policy balanced-ips drop, policy security-ips drop; 15299 WEB-CLIENT Microsoft Office Visio invalid ho tag attempt www.microsoft.com/technet/security/bulletin/MS09-005 attempted-user 2009-0095 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,visio.request; metadata: engine shared, soid 3|15303, service http, policy balanced-ips drop, policy security-ips drop; 15303 WEB-CLIENT Malformed Visio IconBitsComponent arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/ms09-005.mspx 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q7>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA8484DE-52DB-4860-A986-61A8682E298A\s*}?\s*(?P=q7)(\s|>).*(?P=id1)\s*\.\s*(SnapShotToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q8>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*DA8484DE-52DB-4860-A986-61A8682E298A\s*}?\s*(?P=q8)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(SnapShotToFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15334 WEB-ACTIVEX GeoVision LiveX 7000 ActiveX clsid access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|A|00|8|00|4|00|8|00|4|00|D|00|E|00|-|00|5|00|2|00|D|00|B|00|-|00|4|00|8|00|6|00|0|00|-|00|A|00|9|00|8|00|6|00|-|00|6|00|1|00|A|00|8|00|6|00|8|00|2|00|E|00|2|00|9|00|8|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q9>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*D\x00A\x008\x004\x008\x004\x00D\x00E\x00-\x005\x002\x00D\x00B\x00-\x004\x008\x006\x000\x00-\x00A\x009\x008\x006\x00-\x006\x001\x00A\x008\x006\x008\x002\x00E\x002\x009\x008\x00A\x00(}\x00)?(?P=q9)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15335 WEB-ACTIVEX GeoVision LiveX 7000 ActiveX clsid unicode access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LiveX_v7000"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22LiveX_v7000(\.\d)?\x22|\x27LiveX_v7000(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=v)\s*\.\s*SnapShotToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveX_v7000(\.\d)?\x22|\x27LiveX_v7000(\.\d)?\x27)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=n)\s*\.\s*SnapShotToFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15336 WEB-ACTIVEX GeoVision LiveX 7000 ActiveX function call access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|i|00|v|00|e|00|X|00|_|00|v|00|7|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q10>\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x007\x000\x000\x000\x00(\.\x00\d\x00)?(?P=q10)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q11>\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x007\x000\x000\x000\x00(\.\x00\d\x00)?(?P=q11)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15337 WEB-ACTIVEX GeoVision LiveX 7000 ActiveX function call unicode access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q12>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4421170-DB22-4551-BBFB-FFCFFB419F6F\s*}?\s*(?P=q12)(\s|>).*(?P=id1)\s*\.\s*(SnapShotToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*F4421170-DB22-4551-BBFB-FFCFFB419F6F\s*}?\s*(?P=q13)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(SnapShotToFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15338 WEB-ACTIVEX GeoVision LiveX 8120 ActiveX clsid access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|4|00|4|00|2|00|1|00|1|00|7|00|0|00|-|00|D|00|B|00|2|00|2|00|-|00|4|00|5|00|5|00|1|00|-|00|B|00|B|00|F|00|B|00|-|00|F|00|F|00|C|00|F|00|F|00|B|00|4|00|1|00|9|00|F|00|6|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q14>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x004\x004\x002\x001\x001\x007\x000\x00-\x00D\x00B\x002\x002\x00-\x004\x005\x005\x001\x00-\x00B\x00B\x00F\x00B\x00-\x00F\x00F\x00C\x00F\x00F\x00B\x004\x001\x009\x00F\x006\x00F\x00(}\x00)?(?P=q14)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15339 WEB-ACTIVEX GeoVision LiveX 8120 ActiveX clsid unicode access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LiveX_v8120"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22LiveX_v8120(\.\d)?\x22|\x27LiveX_v8120(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=v)\s*\.\s*SnapShotToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveX_v8120(\.\d)?\x22|\x27LiveX_v8120(\.\d)?\x27)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=n)\s*\.\s*SnapShotToFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15340 WEB-ACTIVEX GeoVision LiveX 8120 ActiveX function call access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|i|00|v|00|e|00|X|00|_|00|v|00|8|00|1|00|2|00|0|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q15>\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x001\x002\x000\x00(\.\x00\d\x00)?(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q16>\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x001\x002\x000\x00(\.\x00\d\x00)?(?P=q16)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15341 WEB-ACTIVEX GeoVision LiveX 8120 ActiveX function call unicode access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8D58D690-6B71-4EE8-85AD-006DB0287BF1"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q17>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8D58D690-6B71-4EE8-85AD-006DB0287BF1\s*}?\s*(?P=q17)(\s|>).*(?P=id1)\s*\.\s*(SnapShotToFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q18>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8D58D690-6B71-4EE8-85AD-006DB0287BF1\s*}?\s*(?P=q18)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\.(SnapShotToFile))\s*\(/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15342 WEB-ACTIVEX GeoVision LiveX 8200 ActiveX clsid access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|D|00|5|00|8|00|D|00|6|00|9|00|0|00|-|00|6|00|B|00|7|00|1|00|-|00|4|00|E|00|E|00|8|00|-|00|8|00|5|00|A|00|D|00|-|00|0|00|0|00|6|00|D|00|B|00|0|00|2|00|8|00|7|00|B|00|F|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q19>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*8\x00D\x005\x008\x00D\x006\x009\x000\x00-\x006\x00B\x007\x001\x00-\x004\x00E\x00E\x008\x00-\x008\x005\x00A\x00D\x00-\x000\x000\x006\x00D\x00B\x000\x002\x008\x007\x00B\x00F\x001\x00(}\x00)?(?P=q19)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15343 WEB-ACTIVEX GeoVision LiveX 8200 ActiveX clsid unicode access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LiveX_v8200"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22LiveX_v8200(\.\d)?\x22|\x27LiveX_v8200(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=v)\s*\.\s*SnapShotToFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22LiveX_v8200(\.\d)?\x22|\x27LiveX_v8200(\.\d)?\x27)\s*\)(\s*\.\s*SnapShotToFile\s*|.*(?P=n)\s*\.\s*SnapShotToFile\s*)\s*\(/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15344 WEB-ACTIVEX GeoVision LiveX 8200 ActiveX function call access 33782 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"L|00|i|00|v|00|e|00|X|00|_|00|v|00|8|00|2|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q20>\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x002\x000\x000\x00(\.\x00\d\x00)?(?P=q20)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q21>\x22|\x27|)L\x00i\x00v\x00e\x00X\x00_\x00v\x008\x002\x000\x000\x00(\.\x00\d\x00)?(?P=q21)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15345 WEB-ACTIVEX GeoVision LiveX 8200 ActiveX function call unicode access attempted-user 2009-0238 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15365, service http, policy balanced-ips drop, policy security-ips drop; 15365 WEB-CLIENT Microsoft Excel extrst record arbitrary code excecution attempt www.microsoft.com/technet/security/bulletin/MS09-009.mspx attempted-user 2009-0556 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|15454, service http, policy balanced-ips drop, policy security-ips drop; 15454 WEB-CLIENT Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2008-4841 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15455, service http, policy balanced-ips drop, policy security-ips drop; 15455 EXPLOIT WordPad and Office Text Converters XST parsing buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-010.mspx protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".xls"; nocase; http_uri; flowbits:set,http.xls; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 15463 WEB-CLIENT Microsoft Excel file request attempted-user 2009-0100 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15465, service http, policy balanced-ips drop, policy security-ips drop; 15465 WEB-CLIENT Microsoft Excel malformed object record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-009.mspx attempted-user 2009-0088 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15466, service http, policy balanced-ips drop, policy security-ips drop; 15466 EXPLOIT WordPad WordPerfect 6.x converter buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-010.mspx attempted-user 2009-0235 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|15467, service http, policy balanced-ips drop, policy security-ips drop; 15467 EXPLOIT WordPad and Office Text Converters PlcPcd aCP buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-010.mspx attempted-user 2009-0087 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|15469, service http, policy security-ips drop; 15469 WEB-CLIENT Microsoft WordPad and Office text converters integer underflow attempt www.microsoft.com/technet/security/bulletin/MS09-010.mspx 34461 misc-attack 2009-0981 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"select%20user_name,web_password2%20from"; content:"WWV_FLOW_USERS"; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-attack; 15488 SPECIFIC-THREATS Oracle Database Application Express Component APEX password hash disclosure attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html attempted-user 2009-0549 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15519, service http, policy security-ips drop; 15519 WEB-CLIENT Microsoft Office Excel BRAI record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx attempted-user 2009-0557 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15520, service http, policy balanced-ips drop, policy security-ips drop; 15520 WEB-CLIENT Microsoft Office Excel FtCbls remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx attempted-user 2009-0558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15521, service http, policy balanced-ips drop, policy security-ips drop; 15521 WEB-CLIENT Microsoft Office Excel ExternSheet record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx attempted-user 2009-0563 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|15524, policy balanced-ips drop, policy security-ips drop; 15524 EXPLOIT Microsoft Word remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-027.mspx attempted-user 2009-0565 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|15525, policy balanced-ips drop, policy security-ips drop; 15525 EXPLOIT Microsoft Word remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-027.mspx attempted-user 2009-0559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15537, service http, policy balanced-ips drop, policy security-ips drop; 15537 WEB-CLIENT Microsoft Office Excel MsoDrawingGroup record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx 36042 attempted-user 2009-3037 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15541, service http, policy balanced-ips drop, policy security-ips drop; 15541 WEB-CLIENT Excel SST record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx attempted-user 2009-1134 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15542, service http, policy balanced-ips drop, policy security-ips drop; 15542 WEB-CLIENT Microsoft Office Excel Qsir and Qsif record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".doc"; nocase; http_uri; flowbits:set,http.doc; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 15587 WEB-CLIENT Word file download request attempted-user 2009-2496 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15685, service http, policy balanced-ips drop, policy security-ips alert; 15685 WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-2496 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15687, service http, policy balanced-ips drop, policy security-ips alert; 15687 WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15689, service http, policy balanced-ips drop, policy security-ips alert; 15689 WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15691, service http, policy balanced-ips drop, policy security-ips alert; 15691 WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-0562 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E543-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E543-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15852 WEB-ACTIVEX Microsoft Office Web Components Datasource ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS09-043.mspx attempted-user 2009-0562 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|4|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x004\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15853 WEB-ACTIVEX Microsoft Office Web Components Datasource ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS09-043.mspx attempted-user 2009-1920 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15913, service http, policy balanced-ips drop, policy security-ips drop; 15913 WEB-CLIENT javascript arguments keyword override rce attempt www.microsoft.com/technet/security/bulletin/MS09-045.mspx 25690 attempted-user 2007-2834 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15975, service http, policy balanced-ips drop, policy security-ips drop; 15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt 25690 attempted-user 2007-2834 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15976, service http, policy balanced-ips drop, policy security-ips drop; 15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".dxf"; nocase; http_uri; flowbits:set,http.dxf; flowbits:noalert; metadata:policy security-ips alert, service http; classtype:misc-activity; 15987 WEB-MISC Microsoft Visio DXF file download request attempted-user 2009-2528 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|16177, service http, policy balanced-ips drop, policy security-ips drop; 16177 EXPLOIT Microsoft GDI+ Word file Office Art Property Table remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-062.mspx attempted-user 2009-2528 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16178, service http, policy balanced-ips drop, policy security-ips drop; 16178 EXPLOIT Microsoft GDI+ Excel file Office Art Property Table remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-062.mspx attempted-user 2009-3130 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16226, service http, policy balanced-ips drop, policy security-ips drop; 16226 EXPLOIT Microsoft Office Excel integer field in row record improper validation remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3131 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16229, service http, policy security-ips drop; 16229 WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3131 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16230, service http, policy balanced-ips drop, policy security-ips drop; 16230 WEB-CLIENT Microsoft Excel oversized ib memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3132 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16233, service http, policy balanced-ips drop, policy security-ips drop; 16233 EXPLOIT Microsoft Excel oversized ptgFuncVar cparams value buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3135 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|16234, service http, policy balanced-ips drop, policy security-ips drop; 16234 WEB-CLIENT Microsoft Word Document remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-068.mspx attempted-user 2009-3127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16235, service http, policy security-ips drop; 16235 EXPLOIT Microsoft Excel file SXDB record exploit attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3128 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16236, service http, policy security-ips drop; 16236 EXPLOIT Microsoft Excel file SxView record exploit attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3133 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16240, service http, policy security-ips drop; 16240 EXPLOIT Microsoft Excel file Window/Pane record exploit attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-3129 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16241, service http, policy balanced-ips drop, policy security-ips drop; 16241 WEB-CLIENT Microsoft Office Excel FeatHdr BIFF record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx attempted-user 2009-2506 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|16314, service http, policy balanced-ips drop, policy security-ips drop; 16314 EXPLOIT Microsoft WordPad and Office text converter integer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-073.mspx 33660 attempted-user 2009-0096 tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any gid:3; classtype:attempted-user; flowbits:isset,visio.request; metadata: engine shared, soid 3|16318, service http, policy balanced-ips drop, policy security-ips drop; 16318 WEB-CLIENT Microsoft Office Visio invalid ho tag attempt www.microsoft.com/technet/security/bulletin/MS09-005 attempted-user 2009-0102 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16328, service http, policy security-ips drop; 16328 EXPLOIT Microsoft Office Project file parsing arbitrary memory access attempt www.microsoft.com/technet/security/bulletin/MS09-074.mspx 36651 attempted-admin 2009-2518 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.bmp; content:"BM"; fast_pattern; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,536870911,36,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-admin; 16361 WEB-CLIENT Microsoft Office BMP header biClrUsed integer overflow attempt misc-activity 2010-0257 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; flowbits:isset,http.xls; metadata: engine shared, soid 3|16461, service http, policy balanced-ips drop, policy security-ips drop; 16461 EXPLOIT Microsoft Excel write access violation attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16462, service http, policy balanced-ips drop, policy security-ips drop; 16462 EXPLOIT Microsoft Excel BIFF8 formulas from records parsing code execution attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16463, service http, policy balanced-ips drop, policy security-ips drop; 16463 EXPLOIT Microsoft Excel BIFF5 formulas from records parsing code execution attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16464, service http, policy balanced-ips drop, policy security-ips drop; 16464 WEB-CLIENT Microsoft Excel ContinueFRT12 heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0261 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16465, service http, policy balanced-ips drop, policy security-ips drop; 16465 WEB-CLIENT Microsoft Excel ContinueFRT12 and MDXSet heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0262 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16466, service http, policy balanced-ips drop, policy security-ips drop; 16466 EXPLOIT Microsoft Excel uninitialized stack variable code execution attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0263 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16467, service http, policy balanced-ips drop, policy security-ips drop; 16467 EXPLOIT Microsoft Excel 2007 invalid comments.xml uninitialized pointer access attempt 1 www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0263 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16468, service http, policy balanced-ips drop, policy security-ips drop; 16468 EXPLOIT Microsoft Excel 2007 invalid comments.xml uninitialized pointer access attempt 2 www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0264 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16469, service http, policy balanced-ips drop, policy security-ips drop; 16469 WEB-CLIENT Microsoft Excel DbOrParamQry.fOdbcConn parsing remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0264 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16470, service http, policy balanced-ips drop, policy security-ips drop; 16470 WEB-CLIENT Microsoft Excel DbOrParamQry.fWeb parsing remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2010-0264 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16471, service http, policy balanced-ips drop, policy security-ips drop; 16471 WEB-CLIENT Microsoft Excel DbOrParamQry.fWeb parsing remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-017.mspx attempted-user 2009-3132 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16553, service http, policy balanced-ips drop, policy security-ips drop; 16553 EXPLOIT Microsoft Office Excel ptg index parsing code execution attempt www.microsoft.com/technet/security/bulletin/MS09-067.mspx 30861 attempted-user 2008-3878 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"00989888-BB72-4E31-A7C6-5F819C24D2F7"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16565 WEB-ACTIVEX Ultra Shareware Office ActiveX clsid access attempted-user 2009-3135 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|16586, service http, policy balanced-ips drop, policy security-ips drop; 16586 WEB-CLIENT Microsoft Word Document remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-068.mspx attempted-user 2010-0822 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16638, service http, policy balanced-ips drop, policy security-ips drop; 16638 WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-0822 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16639, service http, policy balanced-ips drop, policy security-ips drop; 16639 WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with macro www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-0822 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16640, service http, policy balanced-ips drop, policy security-ips drop; 16640 WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with linkFmla www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-0822 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16641, service http, policy balanced-ips drop, policy security-ips drop; 16641 WEB-CLIENT Microsoft Excel OBJ record stack buffer overflow attempt - with macro and linkFmla www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-0823 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16643, service http, policy balanced-ips drop, policy security-ips drop; 16643 WEB-CLIENT Microsoft Excel Chart Sheet Substream memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-0824 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16644, service http, policy balanced-ips drop, policy security-ips drop; 16644 EXPLOIT Microsoft Excel WOpt record memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16645, service http, policy balanced-ips drop, policy security-ips drop; 16645 EXPLOIT Microsoft Excel SxView record memory pointer corruption attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1246 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16646, service http, policy balanced-ips drop, policy security-ips drop; 16646 EXPLOIT Microsoft Excel RealTimeData record stack buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1247 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16647, service http, policy balanced-ips drop, policy security-ips drop; 16647 WEB-CLIENT Microsoft Excel RealTimeData record heap memory corruption attempt - 2 www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1247 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16648, service http, policy balanced-ips drop, policy security-ips drop; 16648 EXPLOIT Microsoft Excel RealTimeData record heap memory corruption attempt - 1 www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1248 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16649, service http, policy security-ips drop; 16649 WEB-CLIENT Microsoft Excel HFPicture record stack buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-0821 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16662, service http, policy security-ips drop; 16662 WEB-CLIENT Microsoft Excel SxView heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx 35992 attempted-user 2009-1534 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"classid|3D 22|clsid|3A|0002E511-0000-0000-C000-000000000046|22|"; fast_pattern:only; nocase; content:"<body onload"; content:"</html>"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16786 SPECIFIC-THREATS Microsoft Office Web Components Spreadsheet ActiveX buffer overflow attempt attempted-user 2008-3471 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16800, service http, policy balanced-ips drop, policy security-ips drop; 16800 EXPLOIT Microsoft Excel FRTWrapper record buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-057.mspx attempted-user 2010-1900 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17119, service http, policy balanced-ips drop, policy security-ips drop; 17119 EXPLOIT Microsoft Word sprmCMajority SPRM overflow attempt www.microsoft.com/technet/security/bulletin/MS10-056.mspx attempted-user 2010-1903 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17124, service http, policy balanced-ips drop, policy security-ips drop; 17124 WEB-CLIENT Microsoft Word malformed table record memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-056.mspx 24691 attempted-user 2007-3490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"Sheet1"; content:"|8C 00 04 00 56 00 56 00 C1 01 08 00 C1 01 00 00 80 38 01 00|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17227 WEB-CLIENT Microsoft Excel sheet name memory corruption attempt attempted-user 2010-2563 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17250, service http, policy balanced-ips drop, policy security-ips drop; 17250 EXPLOIT Microsoft WordPad sprmTSetBrc80 SPRM overflow attempt www.microsoft.com/technet/security/bulletin/MS10-067.mspx 17000 attempted-user 2006-0009 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"Routing|3A 20|"; content:"|B9 00 9B 05 56 04 3F 05 00 00 41 41 41 41|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 17284 WEB-CLIENT Microsoft Office malformed routing slip code execution attempt 19414 attempted-user 2006-3649 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Attribut|00|e VB_Nam|00|e = "; fast_pattern; nocase; content:"|22|ThiAsDocumen|22|t"; within:15; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17286 SPECIFIC-THREATS Microsoft Visual Basic for Applications document properties overflow attempt 24935 attempted-admin 2007-3455 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/officescan/console"; fast_pattern; http_uri; content:"session="; http_cookie; pcre:"/session=[^\s\x3b&]{520}/iC"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17295 WEB-MISC Trend Micro OfficeScan Console authentication buffer overflow attempt 23380 attempted-user 2007-1910 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|09 04 16 00 22 0C 00 00 80 57 00 00 80 57 00 00 02|"; content:"|00 00 00 00 00 00 00 00 FF FF 0F 00|"; within:12; distance:23; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17301 WEB-CLIENT Microsoft Word TextBox sub-document memory corruption attempt 30124 attempted-user 2008-2244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|13 1F 14 FF 95 80 FF FF 01 00 00 00 00 00 28 2C|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17308 WEB-CLIENT Microsoft Word SmartTag record code execution attempt 28819 attempted-user 2008-0320 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.ole; content:"W|00|o|00|r|00|d|00|D|00|o|00|c|00|u|00|m|00|e|00|n|00|t|00|"; nocase; content:"|22 10 00 80|"; within:4; distance:96; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17315 WEB-CLIENT OpenOffice OLE File Stream Buffer Overflow shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|D9 EE D9 74 24 F4|"; content:"|81|"; distance:1; content:"|13|"; distance:1; content:"|83|"; distance:1; content:"|FC E2 F4|"; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17322 SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|83 EE FC E2 F4|"; distance:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17344 SHELLCODE x86 OS agnostic xor dword decoder shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17345 SHELLCODE x86 OS agnostic dword additive feedback decoder 21856 attempted-user 2007-0027 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|7F 00 54 01 09 00 01 00 00 00 00 00 0C 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17362 WEB-CLIENT Microsoft Excel IMDATA buffer overflow attempt 25567 attempted-user 2007-0870 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|A8 00 00 00 00 00 00 00 41 41 41 41 10 00 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17368 WEB-CLIENT Microsoft Word document stream handling code execution attempt 23780 attempted-user 2007-1214 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|43 6F 6C 75 6D 6E 20 42 3F 9B 00 00 00 9D 00 02 00 02 00 9E 00 1D 00 33 00 04 2A 06 02 8C 23 01 01 04 01 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17377 SPECIFIC-THREATS Microsoft excel Malformed Filter Records Handling Code Execution attempt 24450 attempted-user 2007-0245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"rtf"; nocase; content:"|5C|prtdata"; distance:0; nocase; isdataat:200,relative; content:!"|0A|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17403 WEB-CLIENT OpenOffice RTF File parsing heap buffer overflow attempt attempted-user 2008-4841 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|11 84 98 FE 5E 84 68 01 60 84 98 FE 4F 4A 06 00 51 4A 06 00 6F 28 00 87 68 00 00 00 00 88 48 00 00 42 43 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17404 EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms09-010.mspx attempted-user 2008-4841 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 00 0D 10 00 00 0F 84 D0 02 11 84 98 FE 5E 84 D0 02 60 84 98 FE 6F 28 00 87 68 00 00 00 00 88 48 00 00 1F 05|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17405 EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms09-010.mspx attempted-user 2008-4841 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|5F B3 AC 33 42 1E DA DE 51 CA FA 0D 4F 71 3C 4B BE EC 72 87 2B 4D 06 22 A7 4C 49 75 6A E0 37 20 BB 29 CB A9 2E|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17406 EXPLOIT Microsoft Word Converter XST structure buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms09-010.mspx 15780 attempted-user 2005-4131 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|00 18 00 1F|"; byte_test:2,&,1,6,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17488 SPECIFIC-THREATS Excel Malformed Range Code Execution attempt 18905 attempted-user 2006-3493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.ole; content:"|41 41 41 41 41 41 41 41 09 09 09 09 09 09 0D 41 41 41 41 41 41 41 41 41 41 41 41 41 41 09 0D 41|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17491 SPECIFIC-THREATS Microsoft Word mso.dll LsCreateLine Memory Corruption 18853 attempted-user 2006-1301 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|1D 00 0F 00 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 EF|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17492 SPECIFIC-THREATS Microsoft Excel Malformed SELECTION Record Code Execution attempt 21589 attempted-user 2006-6561 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,65535,114,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17505 WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt 21589 attempted-user 2006-6561 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,65535,126,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17506 WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt 21589 attempted-user 2006-6561 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:"|EC A5|"; within:2; distance:504; byte_test:4,>,65535,138,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17507 WEB-CLIENT Microsoft Word formatted disk pages table memory corruption attempt 16181 attempted-user 2006-0030 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|00 0D 10 38 00 00 00 18 01 61 00 61 00 61 00|"; pcre:"/(\x51\x10..\x01(\x02|\x00)|\x01(\x02|\x00)..\x51\x10)/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17511 WEB-CLIENT Excel malformed Graphic Code Execution 17101 attempted-user 2006-0031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|9C 00|"; byte_test:2,>,14,2,relative,little; byte_test:2,>,20,4,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17517 WEB-CLIENT excel Malformed Record Code Execution attempt 15926 attempted-user 2006-0031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 0C 00 77 30 30 74 77 30 30 74 77 30 30 74 8C 00 04 00 21 00|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17537 SPECIFIC-THREATS Microsoft Excel Unspecified Null Page Name Memory Corruption Attempt 15926 attempted-user 2006-0031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|53 68 65 65 74 31 00 00 00 00 00 00 53 68 65 65 74 32 00 00|"; depth:20; offset:688; metadata:policy security-ips drop, service http; classtype:attempted-user; 17538 SPECIFIC-THREATS Microsoft Excel Unspecified Page Name Memory Corruption Attempt 15926 attempted-user 2006-0030 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 00 00 00 0D 10 7E 00 00 00 3B 01 77 00 30 00 30 00 74 00 2C 00 20 00 4D 00 61 00 72 00 63 00 20 00 42 00 65 00 68 00 61 00 72 00 20 00 67 00 69 00 76 00 65 00 73 00 20 00 30 00 2E 00 30 00 31 00 24 00 20 00 62 00 6C 00 6F 00 77 00 6A 00 6F 00 62 00 20 00 61 00 74 00 20 00 65 00 62 00 61 00 79 00 2C 00 20 00 67 00 6F 00 67 00 6F 00 67 00 6F|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17539 SPECIFIC-THREATS Microsoft Excel Unspecified Grafic Pointer Memory Corruption Attempt 21922 attempted-user 2007-0031 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|00 00 80 00 FF 93 02 04 00 14 80 05 FF 92 00 E2 00 80 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17542 SPECIFIC-THREATS Excel MalformedPalete Record Memory Corruption attempt 21925 attempted-user 2007-0030 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|08 00 00 00 00 00|"; byte_test:2,>,255,8,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17543 WEB-CLIENT Excel Column Record Handling Memory Corruption attempt 14216 attempted-user 2005-0564 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|04 05 02 03 04 87 7A 00 20 00 00 00 80 08 00 00 00 00 00 00 00 FF 01 00 00 00 00 00 00 44 44|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17550 SPECIFIC-THREATS Microsoft Word Font Parsing Buffer Overflow attempt 31235 attempted-user 2007-5660 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E9880553-B8A7-4960-A668-95C68BED571E"; fast_pattern:only; nocase; content:"unescape|28 27 25 75 34|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17555 SPECIFIC-THREATS Macrovision InstallShield Update Service ActiveX exploit attempt support.installshield.com/kb/view.asp?articleid=Q113602 32583 attempted-user 2008-4026 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.doc; content:"|22 B0 08 07 23 90 A0 05 24 90 A0 05 33 50 00 19 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17560 SPECIFIC-THREATS Microsoft Word Global Array Index Heap Overflow attempt 34880 attempted-user 2009-0225 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|08 00 00 00 00 00 00 00 AA FF FF 3F 00 00 00 00 FD 03 00 00 01 00 00 00 34 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17565 SPECIFIC-THREATS Microsoft Office PowerPoint PP7 File Handling Memory Corruption attempt 12480 attempted-admin 2004-0848 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|00|"; http_uri; pcre:"/\w{3}\x25\x30\x30[^\r\n]{2000}/Ii"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 17568 WEB-MISC Microsoft Office XP URL Handling Buffer Overflow attempt 14362 attempted-user 2005-2768 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,visio.request; content:"Visio|20 28|TM|29 20|Drawing"; nocase; content:"|77 77 00 80|"; within:4; distance:30; metadata:policy security-ips drop, service http; classtype:attempted-user; 17574 SPECIFIC-THREATS Sophos Anti-Virus Visio File Parsing Buffer Overflow attempt 22225 attempted-user 2007-0515 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.doc; content:"|24 00 61 24 03 00 00 00 00 00 00 00 D1 50 00 00 04 00 00 AC 00 00 00 00 FF FF FF FF 00 00 00 00 CE|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17578 SPECIFIC-THREATS Microsoft Word Section Table Array Buffer Overflow attempt 22383 attempted-user 2007-0671 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 06 00 53 68 65 65 74 33 8C 00 04 00 01 00 01|"; content:"|00 A0 03 41 41 41 41 81 01 09 00 00 08 C0 01 40|"; within:16; distance:64; metadata:policy security-ips drop, service http; classtype:attempted-user; 17579 SPECIFIC-THREATS Microsoft Office Drawing Record msofbtOPT Code Execution attempt 32584 attempted-user 2008-4837 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|01 49 66 01 00 00 00 08 D6 FD FF 05 D6 18 04 01 00 00 04 01|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17591 WEB-CLIENT Microsoft Word Crafted Sprm memory corruption attempt 23804 attempted-user 2007-0035 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.doc; content:"|01 00 00 02 01 00 00 9E 01 00 00 02 01 00 00 96 01 00 00 FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17649 WEB-CLIENT Microsoft Word array data handling buffer overflow attempt 28167 attempted-user 2008-0115 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17655, service http, policy balanced-ips drop, policy security-ips drop; 17655 WEB-CLIENT Microsoft Excel malformed formula parsing code execution attempt www.microsoft.com/technet/security/bulletin/MS08-014.mspx 36200 attempted-user 2009-0201 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17665, service http, policy security-ips drop, policy balanced-ips drop; 17665 WEB-CLIENT OpenOffice Word document table parsing multiple heap based buffer overflow attempt 39721 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"25745F2B-2AC9-4551-948B-574C50D4EE59"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*25745F2B-2AC9-4551-948B-574C50D4EE59\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RegisterCom)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*25745F2B-2AC9-4551-948B-574C50D4EE59\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(RegisterCom))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17670 WEB-ACTIVEX BigAnt Office Manager ActiveX clsid access 39721 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|5|00|7|00|4|00|5|00|F|00|2|00|B|00|-|00|2|00|A|00|C|00|9|00|-|00|4|00|5|00|5|00|1|00|-|00|9|00|4|00|8|00|B|00|-|00|5|00|7|00|4|00|C|00|5|00|0|00|D|00|4|00|E|00|E|00|5|00|9|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x005\x007\x004\x005\x00F\x002\x00B\x00-\x002\x00A\x00C\x009\x00-\x004\x005\x005\x001\x00-\x009\x004\x008\x00B\x00-\x005\x007\x004\x00C\x005\x000\x00D\x004\x00E\x00E\x005\x009\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17671 WEB-ACTIVEX BigAnt Office Manager ActiveX clsid unicode access 39721 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AntCore.AntConsole"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22AntCore\.AntConsole(\.\d)?\x22|\x27AntCore\.AntConsole(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*RegisterCom\s*|.*(?P=v)\s*\.\s*RegisterCom\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AntCore\.AntConsole(\.\d)?\x22|\x27AntCore\.AntConsole(\.\d)?\x27)\s*\)(\s*\.\s*RegisterCom\s*|.*(?P=n)\s*\.\s*RegisterCom\s*)/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17672 WEB-ACTIVEX BigAnt Office Manager ActiveX function call access 39721 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|n|00|t|00|C|00|o|00|r|00|e|00|.|00|A|00|n|00|t|00|C|00|o|00|n|00|s|00|o|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)A\x00n\x00t\x00C\x00o\x00r\x00e\x00.\x00A\x00n\x00t\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)A\x00n\x00t\x00C\x00o\x00r\x00e\x00.\x00A\x00n\x00t\x00C\x00o\x00n\x00s\x00o\x00l\x00e\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17673 WEB-ACTIVEX BigAnt Office Manager ActiveX function call unicode access attempted-user 2009-0565 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17690, service http, policy balanced-ips drop, policy security-ips drop; 17690 EXPLOIT Microsoft Word remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-027.mspx attempted-user 2009-0565 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17691, service http, policy balanced-ips drop, policy security-ips drop; 17691 EXPLOIT Microsoft Word remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-027.mspx 33245 attempted-user 2007-2588 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5"; nocase; content:"targetObject.OpenWebFile|28|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips alert, service http; classtype:attempted-user; 17701 SPECIFIC-THREATS Office Viewer ActiveX arbitrary command execution attempt moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 31706 attempted-user 2008-4019 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,xml.download; content:"|3D|rept|28|"; nocase; pcre:"/\x3ccell\s+[^\x3e]*\x3aFormula\s*\x3d\s*\x22\s*\x3drept\x28/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17734 WEB-MISC Excel REPT integer underflow attempt attempted-user 2009-0563 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17742, service http, policy balanced-ips drop, policy security-ips drop; 17742 EXPLOIT Microsoft Word remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-027.mspx 29104 attempted-user 2008-1091 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17743, service http, policy balanced-ips drop, policy security-ips drop; 17743 EXPLOIT Microsoft Word RTF parsing memory corruption www.microsoft.com/technet/security/bulletin/MS08-026.mspx attempted-user 2010-3216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17754, service http, policy balanced-ips drop, policy security-ips drop; 17754 EXPLOIT Microsoft Word bookmark bound check remote code execution attempt www.microsoft.com/technet/security/Bulletin/MS10-079.mspx attempted-user 2010-3219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17755, service http, policy balanced-ips drop, policy security-ips drop; 17755 EXPLOIT Microsoft Word unchecked index value remote code execution attempt www.microsoft.com/technet/security/Bulletin/MS10-079.mspx attempted-user 2010-3220 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|17756, service http, policy balanced-ips drop, policy security-ips drop; 17756 WEB-CLIENT Microsoft Word XP PLFLSInTableStream heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-079.mspx attempted-user 2010-3230 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17757, service http, policy balanced-ips drop, policy security-ips drop; 17757 WEB-CLIENT Microsoft Excel CrErr record integer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3231 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17758, service http, policy balanced-ips drop, policy security-ips drop; 17758 EXPLOIT Microsoft Excel PtgExtraArray data parsing vulnerability exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3239 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17759, service http, policy balanced-ips drop, policy security-ips drop; 17759 EXPLOIT Microsoft Excel invalid SerAr object exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3240 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17760, service http, policy balanced-ips drop, policy security-ips drop; 17760 EXPLOIT Microsoft Excel RealTimeData record exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3237 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17761, service http, policy balanced-ips drop, policy security-ips drop; 17761 WEB-CLIENT Microsoft Excel malformed MergeCells record exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3232 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17762, service http, policy balanced-ips drop, policy security-ips drop; 17762 WEB-CLIENT Microsoft Excel corrupted TABLE record clean up exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3242 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17763, service http, policy balanced-ips drop, policy security-ips drop; 17763 EXPLOIT Microsoft Excel GhostRw record exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3235 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|17764, service http, policy balanced-ips drop, policy security-ips drop; 17764 EXPLOIT Microsoft Excel PtgName invalid index exploit attempt www.microsoft.com/technet/security/bulletin/MS10-080.mspx attempted-user 2010-3334 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|18063, service http, policy balanced-ips drop, policy security-ips alert; 18063 WEB-CLIENT Microsoft Office embedded Office Art drawings execution attempt www.microsoft.com/technet/security/bulletin/MS10-087.mspx attempted-user 2010-3333 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|18067, service http, policy balanced-ips drop, policy security-ips drop; 18067 WEB-CLIENT Microsoft Office RTF parsing remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-087 attempted-user 2010-3335 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|18068, service http, policy balanced-ips drop, policy security-ips drop; 18068 EXPLOIT Microsoft Excel malformed MsoDrawingObject record attempt www.microsoft.com/technet/security/bulletin/MS10-087.mspx attempted-user 2010-3336 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|18069, service http, policy security-ips drop; 18069 WEB-CLIENT Microsoft Office Art drawing invalid shape identifier attempt www.microsoft.com/technet/security/bulletin/MS10-087.mspx attempted-user 2010-3945 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18200, service http, policy balanced-ips drop, policy security-ips drop; 18200 EXPLOIT Microsoft Office .CGM file cell array heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-105.mspx attempted-user 2010-3947 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.tiff; metadata: engine shared, soid 3|18201, service http, policy balanced-ips drop, policy security-ips drop; 18201 EXPLOIT Microsoft Office TIFF filter remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-105.mspx attempted-user 2010-3946 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pct; metadata: engine shared, soid 3|18235, service http, policy security-ips drop; 18235 WEB-CLIENT Microsoft Office PICT graphics converter memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-105.mspx attempted-user 2010-3949 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.tiff; metadata: engine shared, soid 3|18236, service http, policy balanced-ips drop, policy security-ips drop; 18236 SPECIFIC-THREATS Microsoft Office TIFFIM32.FLT filter memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-105.mspx 4449 attempted-user 2007-1201 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E530-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E530-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 4170 WEB-ACTIVEX Office 2000 and 2002 Web Components Data Source Control ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS02-044.mspx 4449 attempted-user 2002-0727 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0002E520-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E520-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4175 WEB-ACTIVEX Office 2000/2002 Web Components PivotTable ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-044.mspx 4449 attempted-user 2002-0727 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0002E500-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E500-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4176 WEB-ACTIVEX Office 2000 and 2002 Web Components Chart ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-044.mspx 4453 attempted-user 2006-4695 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E510-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E510-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 4177 WEB-ACTIVEX Office 2000 and 2002 Web Components Spreadsheet ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-017.mspx 4449 attempted-user 2002-0727 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0002E531-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E531-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4178 WEB-ACTIVEX Office 2000 and 2002 Web Components Record Navigation Control ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS02-044.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"F28D867A-DDB1-11D3-B8E8-00A0C981AEEB"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F28D867A-DDB1-11D3-B8E8-00A0C981AEEB/si"; metadata:policy security-ips drop; classtype:attempted-user; 4217 WEB-ACTIVEX Microsoft Office Services on the Web Free/Busy ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"6B7F1602-D44C-11D0-A7D9-AE3D17000000"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B7F1602-D44C-11D0-A7D9-AE3D17000000/si"; metadata:policy security-ips drop; classtype:attempted-user; 4218 WEB-ACTIVEX Microsoft Visual Basic WebClass ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| HWPE Word Filtered Echelon LOG"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5780 SPYWARE-PUT Keylogger runtime detection - hwpe word filtered echelon log www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| HWAE Word Filtered Echelon LOG"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5782 SPYWARE-PUT Keylogger runtime detection - hwae word filtered echelon log www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/getlinks.php"; nocase; http_uri; content:"User-Agent|3A| Iterenet Explorer"; nocase; http_header; content:"Host|3A| www.wordiq.com"; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5892 SPYWARE-PUT Trackware wordiq toolbar runtime detection - get link info www.softpedia.com/progReportSpyware/12-3-196 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/search_log.php?"; nocase; http_uri; content:"toolbar_id="; nocase; http_uri; content:"se_id="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"User-Agent|3A| Iterenet Explorer"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5893 SPYWARE-PUT Trackware wordiq toolbar runtime detection - search keyword www.softpedia.com/progReportSpyware/12-3-196 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,GhostVoice_InitConnection_withpassword; content:"request|3A|"; depth:8; metadata:policy security-ips drop; classtype:misc-activity; 5958 SPYWARE-PUT Hacker-Tool ghostvoice 1.02 runtime detection - init connection with password requirement www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gettotal.m?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"a="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5959 SPYWARE-PUT Hijacker raxsearch detection - send search keywords to raxsearch www.spywareguide.com/product_show.php?id=2485 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/keyword.php?"; nocase; http_uri; content:"installID="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"partnerID="; nocase; http_uri; content:"partnerReferID="; nocase; http_uri; content:"Host|3A| searchfst.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5962 SPYWARE-PUT Hijacker searchfast detection - catch search keyword www.spywareguide.com/product_show.php?id=1694 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/delayed.cgi?"; nocase; http_uri; content:"g="; nocase; http_uri; content:"edata="; nocase; http_uri; content:"q="; nocase; http_uri; content:"User-Agent|3A| Mirar_KeywordContent"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5992 SPYWARE-PUT Hijacker getmirar runtime detection - get keyword-related content www3.ca.com/securityadvisor/pest/pest.aspx?id=453077933 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/showme.aspx?keyword="; nocase; http_uri; content:"Host|3A| tv.180solutions.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6185 SPYWARE-PUT Adware 180Search assistant runtime detection - reporting keyword www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/showme.aspx?keyword="; fast_pattern; nocase; http_uri; content:"Host|3A| tv.seekmo.com"; nocase; metadata:policy security-ips alert; classtype:misc-activity; 6192 SPYWARE-PUT Adware seekmo runtime detection - reporting keyword www.spywareguide.com/product_show.php?id=2368 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| NavExcel Search Toolbar"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6278 SPYWARE-PUT Trickler navexcel search toolbar runtime detection - activate/update www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"PWD|0A|"; depth:4; nocase; flowbits:set,NetDemon_Init1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6309 BACKDOOR net demon runtime detection - initial connection - password request www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,NetDemon_Init1; content:"PWD "; nocase; pcre:"/^PWD\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_Init2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6310 BACKDOOR net demon runtime detection - initial connection - password send www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetDemon_Init2; content:"OKPWD|0A|"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6311 BACKDOOR net demon runtime detection - initial connection - password accepted www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 18500 attempted-user 2006-3086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|E0 C9 EA|y|F9 BA CE 11 8C 82 00 AA 00|K|A9 0B|"; byte_test:4,>,3628,0,relative,little; metadata:policy security-ips drop; classtype:attempted-user; 7002 WEB-CLIENT excel url unicode overflow attempt www.microsoft.com/technet/security/bulletin/ms06-037.mspx 18583 attempted-user 2006-3014 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"n|DB 7C D2|m|AE CF 11 96 B8|DEST|00 00|"; content:"FWS"; within:3; distance:8; content:"javascript|3A|"; distance:0; nocase; metadata:policy security-ips drop; classtype:attempted-user; 7025 WEB-CLIENT excel url unicode overflow attempt www.microsoft.com/technet/security/bulletin/ms06-069.mspx attempted-user 2006-1306 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"]"; content:"|05|"; within:8; flowbits:set,excel.object; flowbits:noalert; classtype:attempted-user; 7047 WEB-CLIENT excel object record overflow attempt www.microsoft.com/technet/security/bulletin/ms06-037.mspx attempted-user 2006-1306 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,excel.object; content:"]|00|"; byte_test:2,>,8224,1,relative; flowbits:unset,excel.object; metadata:policy security-ips drop; classtype:attempted-user; 7048 WEB-CLIENT excel object record overflow attempt www.microsoft.com/technet/security/bulletin/ms06-037.mspx trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_crt_client-to-server; flowbits:noalert; classtype:trojan-activity; 7087 BACKDOOR sinique 1.0 runtime detection - initial connection with correct password client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_wrg_client-to-server; flowbits:noalert; classtype:trojan-activity; 7089 BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password -client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1480 flow:to_server,established; content:"catasenha|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7098 BACKDOOR remote hack 1.5 runtime detection - get password www.spywareguide.com/product_show.php?id=1523 17252 attempted-user 2006-1540 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 00 00 00 00 00 1D 00 0F 00 03 00 00 00|"; isdataat:2,relative; content:!"|00|"; within:1; distance:2; metadata:policy security-ips drop; classtype:attempted-user; 7197 WEB-CLIENT excel MSO.DLL malformed string parsing single byte buffer over attempt www.microsoft.com/technet/security/bulletin/ms06-038.mspx 17252 attempted-user 2006-1540 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 00 00 00 00 00 1D 00 0F 00 03 00 00 00|"; content:"|00|"; within:1; distance:2; isdataat:6,relative; content:!"|00 00 00 00 00|"; within:5; distance:1; metadata:policy security-ips drop; classtype:attempted-user; 7198 WEB-CLIENT excel MSO.DLL malformed string parsing multi byte buffer over attempt www.microsoft.com/technet/security/bulletin/ms06-038.mspx 28166 attempted-user 2008-0114 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|02 04|"; byte_test:2,>,35071,2,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 7199 WEB-CLIENT excel label record overflow attempt www.microsoft.com/technet/security/bulletin/ms06-037.mspx attempted-user 2006-1540 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|02 D5 CD D5 9C|.|1B 10 93 97 08 00|+,|F9 AE|"; content:"|1E 00 00 00 00 00 00 00|"; distance:0; metadata:policy security-ips drop; classtype:attempted-user; 7200 WEB-CLIENT microsoft word document summary information null string overflow attempt www.microsoft.com/technet/security/bulletin/ms06-038.mspx attempted-user 2006-1540 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; content:"|1E 00 00 00 00 00 00 00|"; distance:0; metadata:policy security-ips drop; classtype:attempted-user; 7201 WEB-CLIENT microsoft word summary information null string overflow attempt www.microsoft.com/technet/security/bulletin/ms06-038.mspx attempted-user 2006-1540 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|02 D5 CD D5 9C|.|1B 10 93 97 08 00|+,|F9 AE|"; content:"|1E 00 00 00|"; distance:0; byte_test:4,>,2147483646,0,relative; metadata:policy security-ips drop; classtype:attempted-user; 7202 WEB-CLIENT microsoft word document summary information string overflow attempt www.microsoft.com/technet/security/bulletin/ms06-038.mspx attempted-user 2006-1540 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; content:"|1E 00 00 00|"; distance:0; byte_test:4,>,2147483646,0,relative; metadata:policy security-ips drop; classtype:attempted-user; 7203 WEB-CLIENT microsoft word information string overflow attempt www.microsoft.com/technet/security/bulletin/ms06-038.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"cn.dll?pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"name.cnnic.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*name\x2ecnnic\x2ecn/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7517 SPYWARE-PUT Hijacker chinese keywords runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074952 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; metadata:policy security-ips drop; classtype:trojan-activity; 7616 BACKDOOR theef 2.0 runtime detection - connection without password www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,theef20.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7617 BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 1 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,theef20.1; content:"|FA CB D9 D9 EB DE DE D6 9B 98 99|"; depth:11; flowbits:set,theef20.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7618 BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,theef20.2; content:"|FA CB D9 D9|"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; 7619 BACKDOOR theef 2.0 runtime detection - connection request with password www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; dsize:5; content:"PWDok"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 7785 BACKDOOR forced control uploader runtime detection - connection with password misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Navhelper"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Navhelper/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7832 SPYWARE-PUT Hijacker navexcel helper runtime detection - active/update www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"ts="; nocase; http_uri; content:"Host|3A| www.trustedsearch.com"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 7833 SPYWARE-PUT Hijacker navexcel helper runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928 28136 attempted-user 2007-1201 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E533-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E533-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7870 WEB-ACTIVEX Microsoft Office Data Source Control 9.0 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS08-017.mspx 28136 attempted-user 2007-1201 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7871 WEB-ACTIVEX Microsoft Office Data Source Control 9.0 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS08-017.mspx attempted-user 2002-0861 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E552-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E552-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 7874 WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID access www.microsoft.com/technet/security/Bulletin/MS02-044.mspx attempted-user 2002-0861 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7875 WEB-ACTIVEX Microsoft Office PivotTable 10.0 ActiveX CLSID unicode access www.microsoft.com/technet/security/Bulletin/MS02-044.mspx 35990 attempted-user 2009-0562 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E553-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E553-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7876 WEB-ACTIVEX Microsoft Office Data Source Control 10.0 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS09-043.mspx 35990 attempted-user 2009-0562 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 7877 WEB-ACTIVEX Microsoft Office Data Source Control 10.0 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS09-043.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/go3.php"; nocase; http_uri; content:"key="; nocase; http_uri; content:"NO="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UN="; nocase; http_uri; content:"Host|3A|"; nocase; content:"www.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 8358 SPYWARE-PUT Hijacker yok supersearch runtime detection - addressbar keyword search hijack research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"65BCBEE4-7728-41A0-97BE-14E1CAE36AAE"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*65BCBEE4-7728-41A0-97BE-14E1CAE36AAE/si"; metadata:policy security-ips drop; classtype:attempted-user; 8397 WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|5|00|B|00|C|00|B|00|E|00|E|00|4|00|-|00|7|00|7|00|2|00|8|00|-|00|4|00|1|00|A|00|0|00|-|00|9|00|7|00|B|00|E|00|-|00|1|00|4|00|E|00|1|00|C|00|A|00|E|00|3|00|6|00|A|00|A|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*6\x005\x00B\x00C\x00B\x00E\x00E\x004\x00-\x007\x007\x002\x008\x00-\x004\x001\x00A\x000\x00-\x009\x007\x00B\x00E\x00-\x001\x004\x00E\x001\x00C\x00A\x00E\x003\x006\x00A\x00A\x00E\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8398 WEB-ACTIVEX Microsoft Office List 11.0 ActiveX CLSID unicode access attempted-user 2006-3875 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"}|00 0C 00 00 00|"; content:!"|00|"; within:1; distance:1; metadata:policy security-ips drop; classtype:attempted-user; 8448 WEB-CLIENT Excel colinfo XF record overflow attempt www.microsoft.com/technet/security/bulletin/ms06-059.mspx 24462 attempted-user 2006-3729 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E55B-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteRecordSourceIfUnused)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E55B-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteRecordSourceIfUnused))\s*\(/si"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 8723 WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX clsid access osvdb.org/27111 24462 attempted-user 2006-3729 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|B|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 8724 WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX clsid unicode access osvdb.org/27111 31235 attempted-user 2007-5660 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E9880553-B8A7-4960-A668-95C68BED571E"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9880553-B8A7-4960-A668-95C68BED571E\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9880553-B8A7-4960-A668-95C68BED571E\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DownloadAndExecute|AddFileEx|ExecuteRemote))\s*\(/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8738 WEB-ACTIVEX Macrovision InstallShield Update Service ActiveX clsid access support.installshield.com/kb/view.asp?articleid=Q113602 31235 attempted-user 2007-5660 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|9|00|8|00|8|00|0|00|5|00|5|00|3|00|-|00|B|00|8|00|A|00|7|00|-|00|4|00|9|00|6|00|0|00|-|00|A|00|6|00|6|00|8|00|-|00|9|00|5|00|C|00|6|00|8|00|B|00|E|00|D|00|5|00|7|00|1|00|E|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*E\x009\x008\x008\x000\x005\x005\x003\x00-\x00B\x008\x00A\x007\x00-\x004\x009\x006\x000\x00-\x00A\x006\x006\x008\x00-\x009\x005\x00C\x006\x008\x00B\x00E\x00D\x005\x007\x001\x00E\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8739 WEB-ACTIVEX Macrovision InstallShield Update Service ActiveX clsid unicode access support.installshield.com/kb/view.asp?articleid=Q113602 31235 attempted-user 2007-5660 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DWUSWebAgent.WebAgent"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22DWUSWebAgent\.WebAgent\x22|\x27DWUSWebAgent\.WebAgent\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*|.*(?P=v)\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22DWUSWebAgent\.WebAgent\x22|\x27DWUSWebAgent\.WebAgent\x27)\s*\)(\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*|.*(?P=n)\s*\.\s*(DownloadAndExecute|AddFileEx|ExecuteRemote)\s*)\s*\(/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8740 WEB-ACTIVEX Macrovision InstallShield Update Service ActiveX function call access support.installshield.com/kb/view.asp?articleid=Q113602 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/express/sq.jsp"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esogou\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 9645 SPYWARE-PUT Hijacker sogou runtime detection - keyword hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380 310 Client / Office 2305 web-application-attack 2006-1652 tcp $EXTERNAL_NET 5900 -> $HOME_NET any flow:to_client,established; content:"|00 00 00 00 00 00 04 06|"; depth:8; isdataat:1029,relative; classtype:web-application-attack; 10087 EXPLOIT VNC password request buffer overflow attempt 23068 attempted-admin 2006-6026 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:established,to_server; content:"LoadTestPassword|3A|"; nocase; isdataat:1024,relative; pcre:"/^LoadTestPassword\x3A[^\r\n]{1024,}/smi"; classtype:attempted-admin; 10407 EXPLOIT Helix Server LoadTestPassword buffer overflow attempt lists.helixcommunity.org/pipermail/server-cvs/2007-January/003783.html 1734 web-application-attack 2000-0925 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_private/shopping_cart.mdb"; http_uri; metadata:service http; classtype:web-application-attack; 1098 WEB-MISC SmartWin CyberOffice Shopping Cart access 33283 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"18A295DA-088E-42D1-BE31-5028D7F9B9B5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B9B5\s*}?\s*(?P=q9)(\s|>).*(?P=id1)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q10>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*18A295DA-088E-42D1-BE31-5028D7F9B9B5\s*}?\s*(?P=q10)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\.(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile))\s*\(/siO"; metadata:service http; classtype:attempted-user; 11199 WEB-ACTIVEX Office Viewer ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 33283 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"1|00|8|00|A|00|2|00|9|00|5|00|D|00|A|00|-|00|0|00|8|00|8|00|E|00|-|00|4|00|2|00|D|00|1|00|-|00|B|00|E|00|3|00|1|00|-|00|5|00|0|00|2|00|8|00|D|00|7|00|F|00|9|00|B|00|9|00|B|00|5|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q11>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*1\x008\x00A\x002\x009\x005\x00D\x00A\x00-\x000\x008\x008\x00E\x00-\x004\x002\x00D\x001\x00-\x00B\x00E\x003\x001\x00-\x005\x000\x002\x008\x00D\x007\x00F\x009\x00B\x009\x00B\x005\x00(}\x00)?(?P=q11)(?=\s\x00|>\x00)/siO"; metadata:service http; classtype:attempted-user; 11200 WEB-ACTIVEX Office Viewer ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 33283 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OA.OActrl"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=v)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OA\.OActrl(\.\d)?\x22|\x27OA\.OActrl(\.\d)?\x27)\s*\)(\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*|.*(?P=n)\s*\.\s*(DoOleCommand|FTPDownloadFile|FTPUploadFile|HttpUploadFile|Save|SaveWebFile|OpenWebFile)\s*)\s*\(/smiO"; metadata:service http; classtype:attempted-user; 11201 WEB-ACTIVEX Office Viewer ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 33283 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|A|00|.|00|O|00|A|00|c|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q12>\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q12)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q13>\x22|\x27|)O\x00A\x00.\x00O\x00A\x00c\x00t\x00r\x00l\x00(\.\x00\d\x00)?(?P=q13)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:service http; classtype:attempted-user; 11202 WEB-ACTIVEX Office Viewer ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-04-office-viewer-oaocx-v-32.html 24118 attempted-user 2007-2903 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8936033C-4A50-11D1-98A4-00A0C90F27C6"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8936033C-4A50-11D1-98A4-00A0C90F27C6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(HelpPopup)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8936033C-4A50-11D1-98A4-00A0C90F27C6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(HelpPopup))\s*\(/si"; classtype:attempted-user; 11622 WEB-ACTIVEX Microsoft Office 2000 OUACTR ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-23-microsoft-office-2000.html 24118 attempted-user 2007-2903 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|9|00|3|00|6|00|0|00|3|00|3|00|C|00|-|00|4|00|A|00|5|00|0|00|-|00|1|00|1|00|D|00|1|00|-|00|9|00|8|00|A|00|4|00|-|00|0|00|0|00|A|00|0|00|C|00|9|00|0|00|F|00|2|00|7|00|C|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11623 WEB-ACTIVEX Microsoft Office 2000 OUACTR ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-23-microsoft-office-2000.html 24230 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"053AFEBA-D968-435F-B557-19FF76372B1B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*053AFEBA-D968-435F-B557-19FF76372B1B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(DeleteLocalFile|HttpDownloadFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*053AFEBA-D968-435F-B557-19FF76372B1B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(DeleteLocalFile|HttpDownloadFile))\s*\(/si"; classtype:attempted-user; 11660 WEB-ACTIVEX EDraw Office Viewer ActiveX clsid access moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html 24230 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|5|00|3|00|A|00|F|00|E|00|B|00|A|00|-|00|D|00|9|00|6|00|8|00|-|00|4|00|3|00|5|00|F|00|-|00|B|00|5|00|5|00|7|00|-|00|1|00|9|00|F|00|F|00|7|00|6|00|3|00|7|00|2|00|B|00|1|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 11661 WEB-ACTIVEX EDraw Office Viewer ActiveX clsid unicode access moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html 24230 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EDrawOfficeViewer.EDrawOfficeViewerCtrl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x22|\x27EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*|.*(?P=v)\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x22|\x27EDrawOfficeViewer\.EDrawOfficeViewerCtrl\x27)\s*\)(\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*|.*(?P=n)\s*\.\s*(DeleteLocalFile|HttpDownloadFile)\s*)\s*\(/smi"; classtype:attempted-user; 11662 WEB-ACTIVEX EDraw Office Viewer ActiveX function call access moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html 24230 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|D|00|r|00|a|00|w|00|O|00|f|00|f|00|i|00|c|00|e|00|V|00|i|00|e|00|w|00|e|00|r|00|.|00|E|00|D|00|r|00|a|00|w|00|O|00|f|00|f|00|i|00|c|00|e|00|V|00|i|00|e|00|w|00|e|00|r|00|C|00|t|00|r|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00C\x00t\x00r\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00.\x00E\x00D\x00r\x00a\x00w\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00C\x00t\x00r\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11663 WEB-ACTIVEX EDraw Office Viewer ActiveX function call unicode access moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html 1057 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1192 WEB-MISC Trend Micro OfficeScan access 24462 attempted-user 2006-3729 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|W|00|C|00|1|00|1|00|.|00|D|00|a|00|t|00|a|00|S|00|o|00|u|00|r|00|c|00|e|00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)O\x00W\x00C\x001\x001\x00.\x00D\x00a\x00t\x00a\x00S\x00o\x00u\x00r\x00c\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)O\x00W\x00C\x001\x001\x00.\x00D\x00a\x00t\x00a\x00S\x00o\x00u\x00r\x00c\x00e\x00C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 11967 WEB-ACTIVEX Microsoft Office Data Source Control 11.0 ActiveX function call unicode access osvdb.org/27111 24801 attempted-user 2007-1756 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"|09 08 10 00|"; fast_pattern:only; pcre:"/\x09\x08\x10\x00\x00[\x00\x01\x07-\xff]/sm"; classtype:attempted-user; 12070 EXPLOIT Microsoft Excel malformed version field www.microsoft.com/technet/security/Bulletin/MS07-036.mspx 22555 attempted-user 2007-3029 tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:from_server,established; flowbits:isset,http.xls; content:"|FF FF FF FF FF FF FF FF 09 08|"; content:"|00 00|"; within:2; distance:1; content:"|05 00|"; within:2; distance:1; pcre:"/\x3d\x00\x12\x00..........(.[\x80-\xff]|...[\x80-\xff])/smiR"; classtype:attempted-user; 12099 MISC Microsoft Excel rtWindow1 record handling arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS07-036.mspx 24803 attempted-user 2007-3030 tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:from_server,established; flowbits:isset,http.xls; content:"|FF FF FF FF FF FF FF FF 09 08|"; fast_pattern:only; pcre:"/\xff{8}\x09\x08[\x08\x10]\x00\x00[\x05\x06]\x00\x01/sm"; classtype:attempted-user; 12184 MISC Microsoft Excel workbook workspace designation handling arbitrary code execution attempt www.microsoft.com/technet/security/Bulletin/MS07-036.mspx trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; flowbits:isset,Theef210_Connectionwithnopassword; content:"|FC CF D8 D6 98 84 9B 9A|"; depth:8; classtype:trojan-activity; 12234 BACKDOOR theef 2.10 runtime detection - connect with no password www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,Theef210_Connectionwithpassword; content:"|FA CB D9 D9 EB DE DE D6|"; depth:8; classtype:trojan-activity; 12236 BACKDOOR theef 2.10 runtime detection - connect with password www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99 attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0DDF3B5C-E692-11D1-AB06-00AA00BDD685"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0DDF3B5C-E692-11D1-AB06-00AA00BDD685\s*}?\s*(?P=q1)(\s|>)/Osi"; classtype:attempted-user; 12261 WEB-ACTIVEX Microsoft Visual Basic 6 PDWizard.File ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|D|00|D|00|F|00|3|00|B|00|5|00|C|00|-|00|E|00|6|00|9|00|2|00|-|00|1|00|1|00|D|00|1|00|-|00|A|00|B|00|0|00|6|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|D|00|D|00|6|00|8|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12262 WEB-ACTIVEX Microsoft Visual Basic 6 PDWizard.File ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PDWizard.File"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22PDWizard\.File\x22|\x27PDWizard\.File\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22PDWizard\.File\x22|\x27PDWizard\.File\x27)\s*\)/Osmi"; classtype:attempted-user; 12263 WEB-ACTIVEX Microsoft Visual Basic 6 PDWizard.File ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-3041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"P|00|D|00|W|00|i|00|z|00|a|00|r|00|d|00|.|00|F|00|i|00|l|00|e|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00F\x00i\x00l\x00e\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)P\x00D\x00W\x00i\x00z\x00a\x00r\x00d\x00.\x00F\x00i\x00l\x00e\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12264 WEB-ACTIVEX Microsoft Visual Basic 6 PDWizard.File ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8B217752-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q5>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8B217752-717D-11CE-AB5B-D41203C10000\s*}?\s*(?P=q5)(\s|>)/Osi"; classtype:attempted-user; 12265 WEB-ACTIVEX Microsoft Visual Basic 6 SearchHelper ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|B|00|2|00|1|00|7|00|7|00|5|00|2|00|-|00|7|00|1|00|7|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|5|00|B|00|-|00|D|00|4|00|1|00|2|00|0|00|3|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q6>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q6)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12266 WEB-ACTIVEX Microsoft Visual Basic 6 SearchHelper ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TLI.SearchHelper"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22TLI\.SearchHelper\x22|\x27TLI\.SearchHelper\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TLI\.SearchHelper\x22|\x27TLI\.SearchHelper\x27)\s*\)/Osmi"; classtype:attempted-user; 12267 WEB-ACTIVEX Microsoft Visual Basic 6 SearchHelper ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"T|00|L|00|I|00|.|00|S|00|e|00|a|00|r|00|c|00|h|00|H|00|e|00|l|00|p|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q7>\x22|\x27|)T\x00L\x00I\x00.\x00S\x00e\x00a\x00r\x00c\x00h\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q7)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q8>\x22|\x27|)T\x00L\x00I\x00.\x00S\x00e\x00a\x00r\x00c\x00h\x00H\x00e\x00l\x00p\x00e\x00r\x00(?P=q8)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12268 WEB-ACTIVEX Microsoft Visual Basic 6 SearchHelper ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8B21775E-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8B21775E-717D-11CE-AB5B-D41203C10000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(TypeLibInfoFromFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8B21775E-717D-11CE-AB5B-D41203C10000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(TypeLibInfoFromFile))\s*\(/Osi"; classtype:attempted-user; 12269 WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|B|00|2|00|1|00|7|00|7|00|5|00|E|00|-|00|7|00|1|00|7|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|5|00|B|00|-|00|D|00|4|00|1|00|2|00|0|00|3|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12270 WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TLI.TLIApplication"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22TLI\.TLIApplication\x22|\x27TLI\.TLIApplication\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*TypeLibInfoFromFile\s*|.*(?P=v)\s*\.\s*TypeLibInfoFromFile\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TLI\.TLIApplication\x22|\x27TLI\.TLIApplication\x27)\s*\)(\s*\.\s*TypeLibInfoFromFile\s*|.*(?P=n)\s*\.\s*TypeLibInfoFromFile\s*)\s*\(/Osmi"; classtype:attempted-user; 12271 WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"T|00|L|00|I|00|.|00|T|00|L|00|I|00|A|00|p|00|p|00|l|00|i|00|c|00|a|00|t|00|i|00|o|00|n|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)T\x00L\x00I\x00.\x00T\x00L\x00I\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)T\x00L\x00I\x00.\x00T\x00L\x00I\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12272 WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8B217746-717D-11CE-AB5B-D41203C10000"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*8B217746-717D-11CE-AB5B-D41203C10000\s*}?\s*(?P=q13)(\s|>)/Osi"; classtype:attempted-user; 12273 WEB-ACTIVEX Microsoft Visual Basic 6 TypeLibInfo ActiveX clsid access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8|00|B|00|2|00|1|00|7|00|7|00|4|00|6|00|-|00|7|00|1|00|7|00|D|00|-|00|1|00|1|00|C|00|E|00|-|00|A|00|B|00|5|00|B|00|-|00|D|00|4|00|1|00|2|00|0|00|3|00|C|00|1|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q14>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q14)(?=\s\x00|>\x00)/Osi"; classtype:attempted-user; 12274 WEB-ACTIVEX Microsoft Visual Basic 6 TypeLibInfo ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"TLI.TypeLibInfo"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22TLI\.TypeLibInfo\x22|\x27TLI\.TypeLibInfo\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22TLI\.TypeLibInfo\x22|\x27TLI\.TypeLibInfo\x27)\s*\)/Osmi"; classtype:attempted-user; 12275 WEB-ACTIVEX Microsoft Visual Basic 6 TypeLibInfo ActiveX function call access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"T|00|L|00|I|00|.|00|T|00|y|00|p|00|e|00|L|00|i|00|b|00|I|00|n|00|f|00|o|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q15>\x22|\x27|)T\x00L\x00I\x00.\x00T\x00y\x00p\x00e\x00L\x00i\x00b\x00I\x00n\x00f\x00o\x00(?P=q15)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q16>\x22|\x27|)T\x00L\x00I\x00.\x00T\x00y\x00p\x00e\x00L\x00i\x00b\x00I\x00n\x00f\x00o\x00(?P=q16)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12276 WEB-ACTIVEX Microsoft Visual Basic 6 TypeLibInfo ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/ms07-045.mspx attempted-user 2007-3890 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"8|00 04 00|"; byte_test:2,>,32767,0,relative,little; flowbits:isset,xlw.download; classtype:attempted-user; 12284 WEB-CLIENT Excel rtWnDesk record memory corruption exploit attempt www.microsoft.com/technet/security/Bulletin/ms07-044.mspx 25892 attempted-user 2007-4821 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6BA21C22-53A5-463F-BBE8-5CF7FFA0132B"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BA21C22-53A5-463F-BBE8-5CF7FFA0132B\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6BA21C22-53A5-463F-BBE8-5CF7FFA0132B\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile))\s*\(/si"; classtype:attempted-user; 12430 WEB-ACTIVEX EDraw Office Viewer Component ActiveX clsid access 25892 attempted-user 2007-4821 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|B|00|A|00|2|00|1|00|C|00|2|00|2|00|-|00|5|00|3|00|A|00|5|00|-|00|4|00|6|00|3|00|F|00|-|00|B|00|B|00|E|00|8|00|-|00|5|00|C|00|F|00|7|00|F|00|F|00|A|00|0|00|1|00|3|00|2|00|B|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 12431 WEB-ACTIVEX EDraw Office Viewer Component ActiveX clsid unicode access 25892 attempted-user 2007-4821 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"EDraw.OfficeViewer"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22EDraw\.OfficeViewer\x22|\x27EDraw\.OfficeViewer\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*|.*(?P=v)\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22EDraw\.OfficeViewer\x22|\x27EDraw\.OfficeViewer\x27)\s*\)(\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*|.*(?P=n)\s*\.\s*(HttpDownloadFile|HttpDownloadFileToTempDir|FtpDownloadFile)\s*)\s*\(/smi"; classtype:attempted-user; 12432 WEB-ACTIVEX EDraw Office Viewer Component ActiveX function call access 25892 attempted-user 2007-4821 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"E|00|D|00|r|00|a|00|w|00|.|00|O|00|f|00|f|00|i|00|c|00|e|00|V|00|i|00|e|00|w|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)E\x00D\x00r\x00a\x00w\x00.\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)E\x00D\x00r\x00a\x00w\x00.\x00O\x00f\x00f\x00i\x00c\x00e\x00V\x00i\x00e\x00w\x00e\x00r\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; classtype:attempted-user; 12433 WEB-ACTIVEX EDraw Office Viewer Component ActiveX function call unicode access 25629 attempted-user 2007-4776 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,from_server; content:"Reference"; nocase; pcre:"/^Reference\s*=\s*\*\x5CG\{[A-Z\d-]{36}\}\x23\d+\.\d+\x23\d+\x23[^\r\n]{474}/smi"; classtype:attempted-user; 12618 WEB-CLIENT Microsoft Visual Basic VBP file reference overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/q/qry.phtml?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"cx="; nocase; http_uri; content:"cxv="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"get="; nocase; http_uri; classtype:misc-activity; 13277 SPYWARE-PUT Adware netword agent runtime detection www.symantec.com/fr/fr/security_response/writeup.jsp?docid=2006-042614-1031-99 4453 attempted-user 2006-4695 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|1|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 13467 WEB-ACTIVEX Office 2000 and 2002 Web Components Spreadsheet ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS02-044.mspx 4449 attempted-user 2007-1201 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|3|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; classtype:attempted-user; 13468 WEB-ACTIVEX Office 2000 and 2002 Web Components Data Source Control ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS02-044.mspx attempted-user 2008-0109 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.doc; metadata: engine shared, soid 3|13469; 13469 WEB-CLIENT Microsoft Word ole stream memory corruption attempt www.microsoft.com/technet/security/bulletin/ms08-009.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/kwordenter.asp?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ver=KW"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*vb\s+wininet/smiH"; classtype:misc-activity; 13556 SPYWARE-PUT Hijacker kword interkey runtime detection - search traffic 1 www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"fcode="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"part="; nocase; http_uri; content:"Host|3A| search.kword.co.kr"; fast_pattern:only; classtype:misc-activity; 13557 SPYWARE-PUT Hijacker kword interkey runtime detection - search traffic 2 www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dwi_log/catch?"; fast_pattern; nocase; http_uri; content:"C="; nocase; http_uri; content:"V="; nocase; http_uri; content:"E="; nocase; http_uri; content:"R="; nocase; http_uri; content:"www.kword.co.kr"; nocase; http_uri; classtype:misc-activity; 13558 SPYWARE-PUT Hijacker kword interkey runtime detection - log user info www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey attempted-user 2008-0081 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13569; 13569 WEB-CLIENT Microsoft Excel macro validation arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS08-014.mspx attempted-user 2006-4695 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13580; 13580 WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-017.mspx attempted-user 2006-4695 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13581; 13581 WEB-ACTIVEX Microsoft Office Web Components remote code execution attempt ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-017.mspx 1057 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"event="; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1381 WEB-MISC Trend Micro OfficeScan attempt attempted-user 2008-3460 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13958; 13958 WEB-CLIENT WordPerfect Graphics file invalid RLE buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms08-044.mspx attempted-user 2008-4256 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15089; 15089 WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4256 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15091; 15091 WEB-ACTIVEX Microsoft Visual Basic Charts ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15093; 15093 WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15095; 15095 WEB-ACTIVEX Microsoft Visual Basic DataGrid ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4253 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15097; 15097 WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4253 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15099; 15099 WEB-ACTIVEX Microsoft Visual Basic FlexGrid ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15101; 15101 WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15103; 15103 WEB-ACTIVEX Microsoft Visual Basic Hierarchical FlexGrid ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4251 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15119; 15119 WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2008-4251 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15121; 15121 WEB-ACTIVEX Microsoft Visual Basic Winsock ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-070.mspx attempted-user 2009-0560 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|15539, service http; 15539 WEB-CLIENT Microsoft Office Excel Formula record remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-021.mspx misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|0A FF|WPC"; content:"|01 0A 02 01|"; within:4; distance:4; metadata:service http; classtype:misc-activity; 15575 WEB-CLIENT WordPerfect file download www.corelconnected.com/html/files/WPFF_%21DocumentStructure.htm attempted-user 2009-2496 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15686; 15686 WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-2496 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15688; 15688 WEB-ACTIVEX Microsoft Office Web Components 10 Spreadsheet ActiveX function call unicode access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15690; 15690 WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15692; 15692 WEB-ACTIVEX Microsoft Office Web Components 11 Spreadsheet ActiveX function call unicode access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OWC10.Spreadsheet"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OWC10\.Spreadsheet(\.\d)?\x22|\x27OWC10\.Spreadsheet(\.\d)?\x27)\s*\)/smiO"; metadata:service http; classtype:attempted-user; 15855 WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX function call access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|W|00|C|00|1|00|0|00|.|00|S|00|p|00|r|00|e|00|a|00|d|00|s|00|h|00|e|00|e|00|t|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)O\x00W\x00C\x001\x000\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q4>\x22|\x27|)O\x00W\x00C\x001\x000\x00.\x00S\x00p\x00r\x00e\x00a\x00d\x00s\x00h\x00e\x00e\x00t\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:service http; classtype:attempted-user; 15856 WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX function call unicode access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1534 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E512-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E512-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(htmlurl)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E512-0000-0000-C000-000000000046\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(htmlurl))\s*=/siO"; metadata:service http; classtype:attempted-user; 15858 WEB-ACTIVEX Microsoft Office Web Components Spreadsheet ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS09-043.mspx attempted-user 2009-1534 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|1|00|2|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x001\x002\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:service http; classtype:attempted-user; 15859 WEB-ACTIVEX Microsoft Office Web Components Spreadsheet ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS09-043.mspx attempted-user 2006-0028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|02 00 09 00 00 00 02 00|@|00 00 03 00 05 00 09 00 FF FF FF FF|A|15 00 01 00 05 00 09 00 01 00|"; classtype:attempted-user; 16059 EXPLOIT Microsoft Excel malformed file format parsing code execution attempt www.microsoft.com/technet/security/Bulletin/MS06-012.mspx attempted-admin 2009-3134 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,http.xls; metadata: engine shared, soid 3|16228; 16228 WEB-CLIENT Microsoft Excel malformed StartObject record arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/ms09-067.mspx attempted-user 2010-1249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16650; 16650 WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 1 www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16651; 16651 WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 2 www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16652; 16652 WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 3 www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16653; 16653 WEB-CLIENT Microsoft Excel ExternName record stack buffer overflow attempt - 4 www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1250 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16654; 16654 WEB-CLIENT Microsoft Excel undocumented Publisher record heap buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1251 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16655; 16655 WEB-CLIENT Microsoft Excel Lbl record stack overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1252 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16656; 16656 WEB-CLIENT Microsoft Excel BIFF5 ExternSheet record stack overflow attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-1253 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16657; 16657 WEB-CLIENT Microsoft Excel DBQueryExt record memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-038.mspx attempted-user 2010-2562 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17134; 17134 WEB-CLIENT Microsoft Excel out-of-bounds structure read memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-057.mspx attempted-user 2008-2238 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.emf; content:"|00 00 00 54|"; byte_test:4,>,2147483647,43,relative,little; classtype:attempted-user; 17388 WEB-CLIENT OpenOffice EMF file EMR record parsing integer overflow attempt www.openoffice.org/security/cves/CVE-2008-2238.html 32618 attempted-user 2008-4265 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"]|00|"; content:"|15|"; distance:0; byte_test:2,>,30,2,relative; content:"|04 01 BF 00 08 00 08 00 81 01 09 00 00 08 83 01|"; content:"|4D 00 00 08 BF 01 10 00 10 00 C0 01 17 00 00 08|"; within:16; classtype:attempted-user; 17532 SPECIFIC-THREATS Microsoft Excel TXO and OBJ Records Parsing Stack Memory Corruption 17378 web-application-attack 2006-1652 tcp $EXTERNAL_NET any -> $HOME_NET 5800 flow:to_server,established; content:"GET "; depth:4; isdataat:1029,relative; content:!"|0A|"; within:1024; classtype:web-application-attack; 17708 EXPLOIT VNC password request URL buffer overflow attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"word.onlinephilbert42f.ru"; nocase; classtype:policy-violation; 18049 PHISHING-SPAM word.onlinephilbert42f.ru known spam email attempt default-login-attempt tcp $EXTERNAL_NET any -> $HOME_NET 9090 flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:service http; classtype:default-login-attempt; 1859 WEB-MISC Sun JavaServer default password login attempt 10995 default-login-attempt tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH"; metadata:service http; classtype:default-login-attempt; 1860 WEB-MISC Linksys router default password login attempt 10999 default-login-attempt tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; metadata:service http; classtype:default-login-attempt; 1861 WEB-MISC Linksys router default username and password login attempt 10999 2763 rpc-portmap-decode 2001-0779 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2027 RPC yppasswd old password overflow attempt UDP 2763 rpc-portmap-decode 2001-0779 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2028 RPC yppasswd old password overflow attempt TCP 2763 rpc-portmap-decode 2001-0779 udp $EXTERNAL_NET any -> $HOME_NET any flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; classtype:rpc-portmap-decode; 2029 RPC yppasswd new password overflow attempt UDP 2763 rpc-portmap-decode 2001-0779 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; classtype:rpc-portmap-decode; 2030 RPC yppasswd new password overflow attempt TCP attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 512 flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; 2114 RSERVICES rexec password overflow attempt default-login-attempt tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cGFzc3dvcmQ"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smiH"; metadata:service http; classtype:default-login-attempt; 2230 WEB-MISC NetGear router default password login attempt admin/password 11737 attempted-dos 2000-0138 tcp $EXTERNAL_NET any -> $HOME_NET 27665 flow:established,to_server; content:"betaalmostdone"; classtype:attempted-dos; 233 DDOS Trin00 Attacker to Master default startup password attempted-dos 2000-0138 tcp $EXTERNAL_NET any -> $HOME_NET 27665 flow:established,to_server; content:"gOrave"; classtype:attempted-dos; 234 DDOS Trin00 Attacker to Master default password bad-unknown 2000-0138 tcp $EXTERNAL_NET any -> $HOME_NET 27665 flow:established,to_server; content:"killme"; classtype:bad-unknown; 235 DDOS Trin00 Attacker to Master default mdie password attempted-dos 2000-0138 udp $EXTERNAL_NET any -> $HOME_NET 27444 flow:to_server; content:"l44adsl"; classtype:attempted-dos; 237 DDOS Trin00 Master to Daemon default password attempt 9766 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.pl"; http_uri; content:"st="; nocase; metadata:service http; classtype:web-application-activity; 2408 WEB-MISC Invision Power Board search.pl access bad-unknown tcp $EXTERNAL_NET any -> $HOME_NET 1417 flow:to_server,established; content:"|05 00|>"; depth:16; classtype:bad-unknown; 505 MISC Insecure TIMBUKTU Password 17978 attempted-admin 2006-2369 tcp $EXTERNAL_NET any -> $HOME_NET [5800,5900:5999] flow:to_server,established; flowbits:isset,vnc.server.auth.types; flowbits:unset,vnc.server.auth.types; dsize:1; byte_test:1,=,1,0; classtype:attempted-admin; 6471 EXPLOIT RealVNC password authentication bypass attempt 18872 attempted-user 2006-3431 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|93 02|"; byte_test:2,>,733,4,relative,little; classtype:attempted-user; 7024 WEB-CLIENT excel style handling overflow attempt www.microsoft.com/technet/security/bulletin/ms06-059.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sinique_initial_crt_client-to-server; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 9D 91 90|"; depth:13; classtype:trojan-activity; 7088 BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sinique_initial_wrg_client-to-server; content:"|B8 9B 93 9D 9A B2 95 9D 98 91 90|"; depth:11; classtype:trojan-activity; 7090 BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730 18886 attempted-user 2006-1306 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"]|00|"; content:"|15|"; distance:0; byte_test:2,>,30,2,relative; classtype:attempted-user; 7204 WEB-CLIENT excel object ftCmo overflow attempt 18890 attempted-user 2006-1308 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xls; content:"|9C 00|"; byte_test:2,>,14,2,relative; classtype:attempted-user; 7205 WEB-CLIENT excel FngGroupCount record overflow attempt attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0002E551-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0002E551-0000-0000-C000-000000000046\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:service http; classtype:attempted-user; 7872 WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx attempted-user 2009-1136 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|2|00|E|00|5|00|5|00|1|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x002\x00E\x005\x005\x001\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:service http; classtype:attempted-user; 7873 WEB-ACTIVEX Microsoft Office Spreadsheet 10.0 ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS09-043.mspx 22085 attempted-user 2007-0243 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.gif; content:"GIF"; byte_test:1,!&,128,7,relative; content:","; within:1; distance:10; content:"|00 00|"; within:2; distance:4; metadata:policy security-ips drop; classtype:attempted-user; 10062 WEB-CLIENT Java Virtual Machine malformed GIF buffer overflow attempt 14242 attempted-user 2005-2265 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"InstallVersion"; nocase; content:"compareTo"; distance:0; nocase; pcre:"/InstallVersion\s*\x29?\s*\.\s*compareTo/smi"; metadata:policy security-ips drop; classtype:attempted-user; 10131 WEB-CLIENT mozilla compareTo arbitrary code execution attempt www.mozilla.org/security/announce/2005/mfsa2005-50.html 23771 attempted-user 2007-0944 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<colgroup"; nocase; content:"delete"; distance:0; nocase; pcre:"/<colgroup\s+[^>]*id\s*=\s*(?P<q1>\x22|\x27|)(?P<q2>\w+)(?P=q1)[^>]*>.*\s+(?P=q2)\.delete/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11257 WEB-CLIENT Microsoft Internet Explorer colgroup tag uninitialized memory corruption vulnerability www.microsoft.com/technet/security/bulletin/ms07-027.mspx 24165 attempted-admin 2007-2881 tcp $EXTERNAL_NET any -> $HOME_NET 1080 flow:to_server,established; content:"|05 01|"; depth:2; content:"|03|"; within:1; distance:1; byte_test:1,>,136,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 11680 MISC Sun Java web proxy sockd buffer overflow attempt sunsolve.sun.com/search/document.do?assetkey=1-26-102927-1 22966 misc-attack 2007-1752 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ieframe.dll/navcancl.htm|23|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-attack; 11834 WEB-MISC Internet Explorer navcancl.htm url spoofing attempt www.microsoft.com/technet/security/bulletin/MS07-033.mspx 25734 attempted-user 2007-5019 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5852F5ED-8BF4-11D4-A245-0080C6F74284"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5852F5ED-8BF4-11D4-A245-0080C6F74284\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(dnsResolve)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*5852F5ED-8BF4-11D4-A245-0080C6F74284\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(dnsResolve))\s*\(/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12472 WEB-ACTIVEX Sun Java Web Start ActiveX clsid access 25734 attempted-user 2007-5019 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"5|00|8|00|5|00|2|00|F|00|5|00|E|00|D|00|-|00|8|00|B|00|F|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|A|00|2|00|4|00|5|00|-|00|0|00|0|00|8|00|0|00|C|00|6|00|F|00|7|00|4|00|2|00|8|00|4|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12473 WEB-ACTIVEX Sun Java Web Start ActiveX clsid unicode access 25734 attempted-user 2007-5019 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"JavaWebStart.isInstalled"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22JavaWebStart\.isInstalled\x22|\x27JavaWebStart\.isInstalled\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*dnsResolve\s*|.*(?P=v)\s*\.\s*dnsResolve\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22JavaWebStart\.isInstalled\x22|\x27JavaWebStart\.isInstalled\x27)\s*\)(\s*\.\s*dnsResolve\s*|.*(?P=n)\s*\.\s*dnsResolve\s*)\s*\(/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12474 WEB-ACTIVEX Sun Java Web Start ActiveX function call access 25734 attempted-user 2007-5019 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"J|00|a|00|v|00|a|00|W|00|e|00|b|00|S|00|t|00|a|00|r|00|t|00|.|00|i|00|s|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|d|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)J\x00a\x00v\x00a\x00W\x00e\x00b\x00S\x00t\x00a\x00r\x00t\x00.\x00i\x00s\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00d\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)J\x00a\x00v\x00a\x00W\x00e\x00b\x00S\x00t\x00a\x00r\x00t\x00.\x00i\x00s\x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00e\x00d\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 12475 WEB-ACTIVEX Sun Java Web Start ActiveX function call unicode access misc-activity 2008-1544 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|13834, service http, policy security-ips drop; 13834 WEB-CLIENT Microsoft Internet Explorer request header overwrite www.microsoft.com/technet/security/bulletin/MS08-031.mspx 28448 attempted-user 2008-1236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"iframe"; nocase; content:"iframe.contentDocument.designMode"; nocase; content:"addEventListener"; nocase; pcre:"/addEventListener\s*\(\s*(?P<q>\x22|\x27|)(mouse(move|down)|keydown)(?P=q)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13838 WEB-CLIENT Mozilla Firefox IFRAME style change handling code execution www.mozilla.org/security/announce/2008/mfsa2008-15.html attempted-user 2008-2255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13960, service http, policy security-ips drop; 13960 WEB-CLIENT Microsoft Internet Explorer static text range overflow attempt www.microsoft.com/technet/security/bulletin/MS08-045.mspx misc-attack 2008-2258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|13961, policy balanced-ips drop, policy security-ips drop; 13961 WEB-CLIENT Internet Explorer table layout access violation vulnerability www.microsoft.com/technet/security/bulletin/ms08-045.mspx attempted-user 2008-2259 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13963, policy balanced-ips drop, policy security-ips drop; 13963 WEB-CLIENT Internet Explorer argument validation in print preview handling vulnerability www.microsoft.com/technet/security/bulletin/ms08-045.mspx attempted-user 2007-1681 tcp $EXTERNAL_NET any -> $HOME_NET 898 flow:to_server,established; content:"com.sun.management.viperimpl.services.authentication.AuthenticationPrincipal"; fast_pattern:only; content:"UserDesc"; nocase; content:"t|00|"; distance:0; isdataat:100,relative; content:"%"; within:50; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 14615 EXPLOIT Sun Java web console format string attempt 28083 attempted-admin 2008-1188 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<?xml"; nocase; content:"encoding"; distance:0; nocase; pcre:"/^<\x3Fxml[^>]+?encoding\s*=\s*(\x22[^\x22]{28}|\x27[^\x27]{28})/smi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 15081 WEB-CLIENT Sun Java Web Start xml encoding buffer overflow attempt sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1 attempted-user 2008-4261 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15114, policy security-ips drop; 15114 WEB-CLIENT Microsoft Internet Explorer embed src buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-073.mspx 32721 attempted-user 2008-4844 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; file_data; content:"datasrc"; distance:0; nocase; content:"datafld"; nocase; pcre:"/<(?P<t1>button|div|input[^>]+?type\s*=\s*(\x22|\x27)button(\x22|\x27)|label|legend|marquee|param|span)\s+[^>]*(datasrc\s*=\s*(?P<q1>\x22|\x27|)(?P<d1>\S+)(?P=q1)\s+[^>]*datafld\s*=\s*(?P<q2>\x22|\x27|)(?P<d2>\S+)(?P=q2)|datafld\s*=\s*(?P<q3>\x22|\x27|)(?P<d3>\S+)(?P=q3)\s+[^>]*datasrc\s*=\s*(?P<q4>\x22|\x27|)(?P<d4>\S+)(?P=q4))[^>]*>(?!.*?<\/\s*(?P=t1)\s*>.*?<(?P=t1)).*?<(?P=t1)\s+[^>]*(datasrc\s*=\s*(?P<q5>\x22|\x27|)((?P=d1)|(?P=d3))(?P=q5)\s+datafld\s*=\s*(?P<q6>\x22|\x27|)((?P=d2)|(?P=d4))(?P=q6)|(datafld\s*=\s*(?P<q7>\x22|\x27|)(?P=d1)(?P=q7)\s+datasrc\s*=\s*(?P<q8>\x22|\x27|)(?P=d2)(?P=q8)))/Osi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15126 WEB-CLIENT Internet Explorer nested tag memory corruption attempt www.microsoft.com/technet/security/bulletin/ms08-078.mspx 24242 attempted-user 2007-2867 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document.getElementById|28 22|path|22 29|.pathSegList.getItem|28|-1|29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15164 SPECIFIC-THREATS Mozilla Products SVG Layout Engine Index Parameter memory corruption attempt attempted-user 2008-4064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR|00 00 80 00 00 00 80 00 08 06 00 00 01 B3|{|93|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15191 SPECIFIC-THREATS Mozilla Firefox animated PNG processing integer overflow misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".class"; nocase; http_uri; flowbits:set,java_class_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15237 WEB-MISC Java .class file download attempt 23608 attempted-user 2007-2175 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,java_class_file.request; content:"toQTPointer"; content:"quicktime/util/QTPointerRef"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 15238 SPECIFIC-THREATS Apple QuickTime for Java toQTPointer function memory corruption attempt attempted-user 2009-0081 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,emf.request; metadata: engine shared, soid 3|15300, service http, policy balanced-ips drop, policy security-ips drop; 15300 WEB-CLIENT Microsoft Internet Explorer EMF polyline overflow attempt www.microsoft.com/technet/security/bulletin/ms09-006.mspx attempted-user 2009-0075 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15304, service http, policy balanced-ips alert, policy security-ips alert; 15304 WEB-CLIENT Internet Explorer object clone deletion memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-002.mspx attempted-user 2009-0076 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15305, service http, policy security-ips alert; 15305 WEB-CLIENT Microsoft Internet Explorer dynamic style update memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-002.mspx misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; content:"String.fromCharCode|28|"; within:100; nocase; metadata:policy security-ips drop, service http; classtype:misc-activity; 15362 WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"eval|28|"; nocase; content:"unescape|28|"; within:15; nocase; content:!"|29|"; within:250; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 15363 WEB-CLIENT Potential obfuscated javascript eval unescape attack attempt www.cs.ucsb.edu/~marco/blog/2008/10/dom-based-obfuscation-in-malicious-javascript.html 26132 attempted-user 2007-5339 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"XUL_NS"; content:"child.parentNode.removeChild"; distance:0; content:"onselect=|22|deleteChild|28|event.originalTarget|29|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15383 SPECIFIC-THREATS Mozilla Firefox XBL Event Handler Tags Removal memory corruption attempt 33990 attempted-user 2009-0771 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,svg_file.request; content:"getElementsByTagName"; content:"pathSegList"; content:"createSVGPathSegMoveto"; fast_pattern; nocase; content:"appendItem"; distance:1; content:"replaceItem"; distance:1; pcre:"/(?P<N1>[a-zA-Z\x5f][a-zA-Z\x5f0-9]*\x2e)appendItem(?!.+?(?P=N1)appendItem).+?(?P=N1)replaceItem/s"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15428 WEB-CLIENT Mozilla Firefox SVG data processing memory corruption attempt www.mozilla.org/security/announce/2009/mfsa2009-07.html attempted-user 2009-0551 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15458, service http, policy balanced-ips drop, policy security-ips drop; 15458 EXPLOIT Internet Explorer navigating between pages race condition attempt www.microsoft.com/technet/security/bulletin/MS09-014.mspx attempted-user 2009-0552 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15459, service http, policy balanced-ips drop, policy security-ips drop; 15459 EXPLOIT Internet Explorer deleted/unitialized object memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-014.mspx attempted-user 2009-0553 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15460, service http, policy balanced-ips drop, policy security-ips drop; 15460 EXPLOIT Internet Explorer ActiveX load/unload race condition attempt www.microsoft.com/technet/security/bulletin/MS09-014.mspx attempted-user 2009-0554 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15461, service http, policy balanced-ips alert, policy security-ips drop; 15461 WEB-CLIENT Microsoft Internet Explorer marquee tag onstart memory corruption www.microsoft.com/technet/security/bulletin/MS09-014.mspx attempted-admin 2007-2881 tcp $EXTERNAL_NET any -> $HOME_NET 1080 flow:to_server,established; content:"|01|"; depth:1; byte_jump:1, 0, relative; content:"|FF|"; within:1; isdataat:300,relative; metadata:policy security-ips drop; classtype:attempted-admin; 15482 EXPLOIT Sun Java System sockd authentication buffer overflow attempt misc-attack 2007-3091 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|15529, service http, policy balanced-ips drop, policy security-ips drop; 15529 WEB-CLIENT Microsoft Internet Explorer cross-domain navigation cookie stealing attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".classid='clsid|3A|0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'|3B|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15678 SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript www.microsoft.com/technet/security/bulletin/ms09-032.mspx attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".|00 00 00|c|00 00 00|l|00 00 00|a|00 00 00|s|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00|=|00 00 00|'|00 00 00|c|00 00 00|l|00 00 00|s|00 00 00|i|00 00 00|d|00 00 00 3A 00 00 00|0|00 00 00|9|00 00 00|5|00 00 00|5|00 00 00|A|00 00 00|C|00 00 00|6|00 00 00|2|00 00 00|-|00 00 00|B|00 00 00|F|00 00 00|2|00 00 00|E|00 00 00|-|00 00 00|4|00 00 00|C|00 00 00|B|00 00 00|A|00 00 00|-|00 00 00|A|00 00 00|2|00 00 00|B|00 00 00|9|00 00 00|-|00 00 00|A|00 00 00|6|00 00 00|3|00 00 00|F|00 00 00|7|00 00 00|7|00 00 00|2|00 00 00|D|00 00 00|4|00 00 00|6|00 00 00|C|00 00 00|F|00 00 00|'|00 00 00 3B|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 15679 SPECIFIC-THREATS Microsoft DirectShow ActiveX exploit via JavaScript - unicode encoding www.microsoft.com/technet/security/bulletin/ms09-032.mspx 35660 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"unescape"; nocase; pcre:"/var[^=]+=\s*unescape\s*\x3b/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15697 WEB-CLIENT Generic javascript obfuscation attempt 35660 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"%u0c0c%u0c0c"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 15698 WEB-CLIENT Possible generic javascript heap spray attempt 35707 attempted-user 2009-2479 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Math.ceil|28|Math.log|28|"; nocase; content:"Math.LN2|29|"; distance:0; nocase; pcre:"/\x29\s*\x2f\s*Math.LN2\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15699 SPECIFIC-THREATS Mozilla Firefox 3.5 unicode stack overflow attempt attempted-user 2009-1917 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15731, service http, policy security-ips drop; 15731 EXPLOIT javascript deleted reference arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-034.mspx attempted-user 2009-1919 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15732, service http, policy balanced-ips drop, policy security-ips drop; 15732 EXPLOIT Microsoft Internet Explorer CSS handling memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-034.mspx attempted-user 2009-1918 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15733, service http, policy balanced-ips drop, policy security-ips drop; 15733 EXPLOIT Microsoft Internet Explorer empty table tag memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-034.mspx attempted-user 2003-0838 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"window.createPopup|28 29|"; content:"oPopup.document.body.innerHTML"; distance:0; content:"<object data=ouch.php>"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 15880 SPECIFIC-THREATS Microsoft Internet Explorer popup window object tag code execution attempt 30614 attempted-user 2008-2254 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"getElementById"; nocase; content:"innerHTML"; distance:0; nocase; pcre:"/id=\s*([^>]+)>.*?<script>.*?getElementByID\s*\x28[^\x29]*?\1\s*(\x22|\x27)\x29\x2EinnerHTML/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15910 EXPLOIT Microsoft Internet Explorer getElementById object corruption www.microsoft.com/technet/security/Bulletin/MS08-045.mspx 35660 attempted-user 2009-2477 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"function"; nocase; content:"|28|data|29|"; within:20; nocase; pcre:"/if\x28\s*(?P<var>[^\s]*)\s*\x3D\x3D\s*\x27(\x26|\x3f|\x3d|\x25|\s)\x27.*?(?P=var)\s*\x3d\s*escape\x28\s*(?P=var)\s*\x29\x3b/smiR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15997 SPECIFIC-THREATS Mozilla Firefox JIT escape function memory corruption attempt www.kb.cert.org/vuls/id/443060 21668 attempted-user 2006-6504 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"bb.appendChild|28|fr.childNodes[4]|29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15999 SPECIFIC-THREATS Mozilla products frame comment objects manipulation memory corruption attempt 22085 attempted-user 2007-0243 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|F9 04 01 00 00 10 00|,|00 00 00 00 00 00 90 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16000 WEB-CLIENT Sun Microsystems Java gif handling memory corruption attempt 22694 attempted-user 2007-0777 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"arguments=function |28 29|{}|3B|"; content:"arguments|28 29 3B|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16005 SPECIFIC-THREATS Mozilla browsers JavaScript argument passing code execution attempt 23771 attempted-user 2007-0944 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<COLGROUP id=|22|colgroupid|22| span=2>"; content:"colgroupid.test = 'something'|3B|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16007 SPECIFIC-THREATS Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt www.microsoft.com/technet/security/bulletin/ms07-027.mspx misc-activity 2007-0947 tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any flow:to_client, established, only_stream; content:"HTTP/1.1 304 Not Modified"; content:"HTTP/1.1 304 Not Modified"; distance:0; detection_filter:track by_src, count 20, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 16008 WEB-MISC Microsoft Internet Explorer 7 html object memory corruption attempt 24376 attempted-user 2007-2876 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"charset=utf-8,%3Chtml%3E"; content:"overflow%28%29%22%3ECrashIt"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16009 SPECIFIC-THREATS Mozilla products overflow event handling memory corruption attempt 17671 attempted-user 2006-1993 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"id=|22|x_OtherInfo|22| name=|22|x_OtherInfo|22|>"; content:"iframe.contentWindow.focus|28 29|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16024 SPECIFIC-THREATS Mozilla Firefox Javascript Function focus overflow attempt 17658 attempted-user 2006-1992 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<STYLE></STYLE>|0A|<OBJECT"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 16031 WEB-CLIENT Microsoft Internet Explorer nested object tag memory corruption attempt 18309 attempted-user 2006-2382 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"charset=UTF-8"; nocase; file_data; content:"|F8|AAA|F8|AA|C8|"; within:8; metadata:policy security-ips drop, service http; classtype:attempted-user; 16032 WEB-CLIENT Microsoft Internet Explorer HTML Decoding memory corruption attempt 19987 attempted-user 2006-3873 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Location|3A| /ABCDEFGHIJ"; http_header; metadata:policy security-ips drop, service http; classtype:attempted-user; 16033 SPECIFIC-THREATS Microsoft Internet Explorer compressed content attempt 17196 attempted-user 2006-1359 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; nocase; content:"<input type|3D 22|image|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16035 WEB-CLIENT Microsoft Internet Explorer createTextRange code execution attempt 16476 attempted-user 2006-0295 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"Components.interfaces."; content:"|2E|QueryInterface"; distance:0; pcre:"/(?P<var>\S+)\s*\x3D\s*eval\x28\s*(\x22|\x27|)Components\x2Einterfaces\x2E.*?\x2EQueryInterface\x28\s*(?P=var)\s*\x29.*?(location|navigator)/s"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16036 WEB-CLIENT Mozilla Products QueryInterface method memory corruption attempt 16476 attempted-user 2006-0297 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<?xml"; content:"<svg"; distance:0; content:"<filter"; distance:0; pcre:"/^[^\x3E]*(width|height)\s*\x3D\s*(\x22|\x27)([3-9]\d{4}|\d{6})/R"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16037 WEB-CLIENT Mozilla products graphics and XML features integer overflows attempt 16770 attempted-user 2006-0884 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"<iframe"; nocase; pcre:"/^\s*[^\x3e]*src\s*\x3d\s*[\x22\x27][^\x22\x27]*javascript\x3a/iR"; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 16038 MISC Mozilla Thunderbird WYSIWIG engine filtering IFRAME JavaScript execution attempt 16427 attempted-user 2006-0496 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<P style=|22|-moz-binding|3A| url|28|http|3A|//gsx2/~rzhan/poc.xml|23|exploit|29 3B 22|></P>"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16042 SPECIFIC-THREATS Mozilla browsers CSS moz-binding cross domain scripting attempt 17468 attempted-dos 2006-1188 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|09 09|pre {|0A 09 09 09|white-space|3A|normal|3B 0A|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-dos; 16043 WEB-CLIENT Microsoft Internet Explorer html tag memory corruption attempt 17516 attempted-user 2006-1730 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"style=|22|letter-spacing|3A| -2147483648"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 16044 WEB-CLIENT Mozilla Firefox CSS Letter-Spacing overflow attempt 18682 attempted-user 2006-3280 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document.getElementById|28|'testdiv'|29|.innerHTML='<object data=|22|/~"; content:"/poc.php|22| type=text/html id=|22|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16045 SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt attempted-user 2007-5959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"div|3A 3A|first-letter"; nocase; content:"position|3A| fixed"; nocase; content:"<q>"; nocase; content:"display|3A| -moz-box"; nocase; content:"binding.xml"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16047 SPECIFIC-THREATS Mozilla Firefox layout frame constructor memory corruption attempt 17516 attempted-user 2006-0749 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"BGCOLOR=|22|http|3A 22|-|9D 22 22| DP=-|B3| UNITS=|22 E2 E2 E2 E2|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 16050 WEB-CLIENT Mozilla Firefox tag order memory corruption attempt 27668 attempted-user 2008-0076 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<style>"; nocase; content:"<isindex>"; distance:0; fast_pattern; nocase; content:"<style>"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16063 WEB-CLIENT Internet Explorer isindex buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms08-010.mspx 24911 misc-activity 2007-3826 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"opener.document.body.onbeforeunload=|22 22|"; nocase; content:"<body onBeforeUnload='spoofed=1'"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:misc-activity; 16064 SPECIFIC-THREATS internet explorer onBeforeUnload address bar spoofing attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 26427 attempted-user 2007-5347 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"execScript|28|'function f|28 29|{location.replace|28 22|about|3A|blank|22 29 3B|}|3B|setTimeout|28 22|f|28 29 22|,5|29 3B|"; nocase; metadata:policy security-ips drop; classtype:attempted-user; 16065 SPECIFIC-THREATS internet explorer location.replace memory corruption attempt www.microsoft.com/technet/security/bulletin/ms07-069.mspx attempted-user 2007-5344 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"removeNode"; nocase; pcre:"/(\w+)\x2EremoveNode\s*\x28true\x29.*\1\x2EremoveNode\s*\x28\x29.*\1\x2E[^r]+/smi"; metadata:policy security-ips drop; classtype:attempted-user; 16067 SPECIFIC-THREATS Microsoft Internet Explorer DOM object cache management memory corruption attempt 36343 attempted-user 2009-3076 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"window.pkcs11.addmodule|28|"; pcre:"/(caption,\x22\x5c\x5c\x5c|\x22\x5cn\x5cn\x5cn\x22\x20\x2b\x20str)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16142 SPECIFIC-THREATS Mozilla Firefox PKCS11 module installation code execution attempt 36023 attempted-user 2009-2195 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"var pi=3+0.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852"; content:"document.write|28 22|Area = pi*|28|r^2|29 22|+pi*|28|radius*radius|29 29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16145 SPECIFIC-THREATS Apple Safari Webkit floating point buffer overflow attempt attempted-user 2009-1547 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16149, service http, policy balanced-ips drop, policy security-ips drop; 16149 EXPLOIT Microsoft Internet Explorer data stream header remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-054.mspx misc-activity 2009-2529 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|16150, service http, policy balanced-ips drop, policy security-ips drop; 16150 EXPLOIT Internet Explorer variant argument validation remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-054.mspx misc-activity 2009-2530 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|16151, service http, policy security-ips drop; 16151 WEB-CLIENT Internet Explorer unitialized or deleted object access attempt www.microsoft.com/technet/security/bulletin/MS09-054.mspx misc-activity 2009-2531 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|16152, service http, policy balanced-ips drop, policy security-ips drop; 16152 EXPLOIT Internet Explorer table layout unitialized or deleted object access attempt www.microsoft.com/technet/security/bulletin/MS09-054.mspx attempted-user 2009-0076 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16169, service http, policy security-ips alert; 16169 WEB-CLIENT Microsoft Internet Explorer dynamic style update memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-002.mspx 34743 attempted-user 2009-1313 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"white-space|3A| pre"; content:"<script>|0A|function doe|28 29|"; content:"getElementById|28|'a'|29|.childNodes[0].splitText|28|1|29|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16284 SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt 36881 attempted-user 2009-3869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 0B 28|II[B[B[B|29|V|01 00 0A|setDiffICM|01 00|S|28|II"; content:"|0A|,|10 0A 11 01 90 BB 00 17|Y|10 10 08 08 BC|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16288 SPECIFIC-THREATS Sun Java Runtime AWT setDiffICM stack buffer overflow attempt 35891 attempted-user 2009-2404 tcp $EXTERNAL_NET 443 -> $HOME_NET any flow:to_client,established; content:"|16|"; content:"|0B|"; within:1; distance:4; byte_test:3,>,0,3,relative,big; content:"|06 03|U|04 03|"; distance:0; pcre:"/^[\x0c\x13]([\x00-\x7f]|\x81.|\x82.{2})\x28(?=[^\x29]*\x7e)[^\x29]*\x7c/sR"; metadata:policy security-ips drop, service ssl; classtype:attempted-user; 16291 WEB-CLIENT Mozilla Network Security Services regexp heap overflow attempt attempted-user 2009-3673 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16317, service http, policy security-ips drop; 16317 EXPLOIT Internet Explorer mouse move during refresh memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-072.mspx attempted-user 2008-2540 tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any gid:3; classtype:attempted-user; flowbits:isset,safari.dll; metadata: engine shared, soid 3|16319, service http, policy balanced-ips drop, policy security-ips drop; 16319 WEB-CLIENT Safari-IE SearchPath blended threat attempt www.microsoft.com/technet/security/bulletin/MS09-015.mspx attempted-user 2010-0246 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16326, service http, policy balanced-ips drop, policy security-ips drop; 16326 EXPLOIT Microsoft Internet Explorer 8 DOM memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-072.mspx attempted-user 2009-0075 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16339, service http, policy balanced-ips alert, policy security-ips alert; 16339 WEB-CLIENT Internet Explorer object clone deletion memory corruption attempt - obfuscated www.microsoft.com/technet/security/bulletin/MS09-002.mspx 36343 attempted-user 2009-3073 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:".push"; content:"new"; within:10; pcre:"/^\s*function\s*(\S+)\s*\x28\s*\S+\s*\x29.+for\s*\x28[^\x29]+\x29\s*\x7B?\s*\S+\x2Epush\s*\x28\s*new\s+\1/sm"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16344 SPECIFIC-THREATS Mozilla Firefox top-level script object offset calculation memory corruption attempt 36866 attempted-user 2009-3382 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3A|first-letter {float|3A| "; fast_pattern; content:".setAttribute|28|'style', 'display|3A| -moz-box|3B| '|29 3B|"; content:".style.display= 'none'|3B|"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16347 SPECIFIC-THREATS Mozilla Firefox browser engine memory corruption attempt attempted-user 2010-0249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16367, service http, policy balanced-ips drop, policy security-ips drop; 16367 WEB-CLIENT Microsoft Internet Explorer invalid object access memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-002.mspx attempted-user 2010-0249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16369, service http, policy balanced-ips drop, policy security-ips drop; 16369 EXPLOIT Microsoft Internet Explorer deleted object access memory corruption attempt - public exploit www.microsoft.com/technet/security/bulletin/MS10-002.mspx misc-activity 2010-0244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|16376, service http, policy balanced-ips drop, policy security-ips drop; 16376 EXPLOIT Internet Explorer onPropertyChange deleteTable memory corruption attempt misc-activity 2010-0247 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|16377, service http, policy balanced-ips drop, policy security-ips drop; 16377 EXPLOIT Internet Explorer DOM mergeAttributes memory corruption attempt 37896 attempted-user 2010-0387 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:!"GET"; nocase; http_method; content:!"POST"; nocase; http_method; content:"Authorization"; nocase; content:"Digest"; distance:0; fast_pattern; nocase; pcre:"/^Authorization\s*\x3A\s*Digest\s+([^\n\x2C]*\x2C){15}/im"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16392 WEB-MISC Sun Java System Web Server 7.0u7 authorization digest heap overflow 37910 attempted-user 2010-0388 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"PROPFIND"; nocase; http_method; content:"encoding"; pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16426 WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - PROPFIND method 37910 attempted-user 2010-0388 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"LOCK"; fast_pattern; nocase; http_method; content:"encoding"; pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16427 WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| Mozilla|0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 16442 BOTNET-CNC Possible Zeus User-Agent - Mozilla en.wikipedia.org/wiki/Zeus_(trojan_horse) attempted-user 2010-0806 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16482, service http, policy balanced-ips drop, policy security-ips drop; 16482 WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt support.microsoft.com/kb/980182 attempted-user 2010-0049 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".innerHTML"; nocase; content:"rtl"; nocase; content:"<NOBR"; fast_pattern; nocase; pcre:"/<(body|html)[^>]+dir\s*=\s*(?P<q1>\x22|\x27|)rtl(?P=q1)/smi"; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*document\.getElementsByTagName\((?P<q2>\x22|\x27|)NOBR(?P=q2)\).*?(?P=obj)\.innerHTML\s*=\s*(\x22\x22|\x27\x27)/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16492 WEB-CLIENT Safari inline text box use after free attempt 38298 attempted-user 2010-1028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"wOFF|00 01 00 00|"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16501 WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - TrueType www.kb.cert.org/vuls/id/964549 38298 attempted-user 2010-1028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"wOFFOTTO"; content:"|00 00|"; within:2; distance:6; pcre:"/^.{28}([0-9A-Z\x20\x2F]{4}.{8}[^\xFF].{7})*([0-9A-Z\x20\x2F]{4}.{8}\xFF{3})/isR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16502 WEB-CLIENT Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based www.kb.cert.org/vuls/id/964549 attempted-user 2010-0267 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16503, service http, policy security-ips drop; 16503 EXPLOIT Microsoft Internet Explorer event handling remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx misc-attack 2010-0488 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|16504, service http, policy security-ips drop; 16504 EXPLOIT Microsoft Internet Explorer 7 encoded content handling exploit attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx misc-attack 2010-0494 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|16509, service http, policy security-ips drop; 16509 EXPLOIT Microsoft Internet Explorer designMode-enabled information disclosure attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; nocase; content:"Launch"; nocase; pcre:"/<object[^>]+classid\s*=\s*(?P<q1>\x22|\x27|)clsid\s*\x3A\s*{?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA\s*}?(?P=q1)/smi"; pcre:"/([A-Z\d_]+)\.Launch\(/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16547 WEB-ACTIVEX Java Web Start ActiveX launch command by CLSID 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; fast_pattern:only; nocase; content:"createElement"; nocase; content:"Launch"; nocase; pcre:"/(?P<obj>[A-Z\d_]+)\s*=\s*document\.createElement\((?P<q1>\x22|\x27|)OBJECT(?P=q1)\).*?(?P=obj)\.classid\s*=\s*(?P<q2>\x22|\x27|)clsid\x3ACAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA(?P=q2).*?(?P=obj)\.launch\(/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16548 WEB-ACTIVEX Java Web Start ActiveX launch command by JavaScript CLSID 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/npruntime-scriptable-plugin|3B|deploymenttoolkit"; nocase; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16549 WEB-CLIENT Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - npruntime-scriptable-plugin 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/java-deployment-toolkit"; nocase; content:"-J-jar"; pcre:"/http\x3A\s+-J-jar\s+-J[^\s]+\x2Ejar/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16550 WEB-CLIENT Oracle JRE Java Platform SE and Java Deployment Toolkit plugins code execution attempt - java-deployment-toolkit 34169 attempted-user 2009-0927 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"app.doc.Collab.getIcon"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16554 WEB-CLIENT Adobe Acrobat JavaScript getIcon method buffer overflow attempt 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; fast_pattern:only; nocase; content:"-XXaltjvm"; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16584 WEB-CLIENT Java Web Start arbitrary command execution attempt - Internet Explorer 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/x-java-applet"; nocase; content:"-XXaltjvm"; fast_pattern:only; content:"launchjnlp"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16585 WEB-CLIENT Java Web Start arbitrary command execution attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"function loop|28 29|"; content:"setInterval|28|doit,0|29|"; distance:0; content:"function doit|28 29|"; distance:0; content:"document.write"; distance:0; content:"setInterval|28|loop,0|29|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16592 SPECIFIC-THREATS Opera asynchronous document modifications attempted memory corruption www.opera.com/support/kb/view/953/ attempted-user 2008-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".classid='clsid|3A|0369B4E5-45B6-11D3-B650-00C04F79498E'|3B|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16602 SPECIFIC-THREATS Microsoft DirectShow 3 ActiveX exploit via JavaScript www.microsoft.com/technet/security/bulletin/ms09-032.mspx 32721 attempted-user 2008-4844 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%48%54%4d%4c%3e"; fast_pattern:only; nocase; content:"%3c%53%50%41%4e%20%44%41%54%41%53%52%43%3d%23%49%20%44%41%54%41%46%4c%44%3d%43%20%44%41%54%41%46%4f%52%4d%41%54%41%53%3d%54%45%58%54%3e"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16605 SPECIFIC-THREATS Internet Explorer nested SPAN tag memory corruption attempt attempted-user 2010-0811 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"8fe85d00-4647-40b9-87e4-5eb8a52f4759"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 16635 WEB-ACTIVEX Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS10-034.mspx attempted-user 2010-0255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16637, service http, policy balanced-ips drop, policy security-ips drop; 16637 EXPLOIT Microsoft Internet Explorer security zone restriction bypass attempt www.microsoft.com/technet/security/bulletin/MS10-035.mspx attempted-user 2010-1257 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16658, service http, policy balanced-ips drop, policy security-ips drop; 16658 WEB-CLIENT Microsoft Internet Explorer 8 cross-site scripting attempt www.microsoft.com/technet/security/bulletin/ms10-035.mspx attempted-user 2010-1262 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16659, service http, policy security-ips drop; 16659 EXPLOIT Microsoft Internet Explorer style sheet array memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-035.mspx 39990 attempted-user 2010-1939 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"for|28|var i = 0|3B| i |3C| 2|3B| i|2B 2B 29|"; content:"parent.alert|28 22|"; within:50; content:"self.close|28 29 3B|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16666 SPECIFIC-THREATS Apple Safari window.parent.close unspecified remote code execution vulnerability secunia.com/advisories/39670 39813 attempted-user 2010-1663 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"src=|22|https|3A 2F 2F|www.google.com|2F|accounts|2F|ManageAccount?hl=fr|22|"; content:"javascr|5C|u0009ipt|3A|alert|28|document.cookie"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16667 SPECIFIC-THREATS Google Chrome GURL cross origin bypass attempt - 1 39813 attempted-user 2010-1663 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"src=|22|http|3A 2F 2F|www.google.ca|2F|language_tools?hl=en|22|"; content:"window.open|28 27|j|5C|navascript|3A|alert|28|document.cookie|29 27|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16668 SPECIFIC-THREATS Google Chrome GURL cross origin bypass attempt - 2 17196 attempted-user 2006-1359 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"innerHTML"; content:"Math.round|28|"; within:100; content:".createTextRange|28 29|"; distance:0; fast_pattern; metadata:policy security-ips drop, service http; classtype:attempted-user; 16690 SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt 34240 attempted-user 2009-1097 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; fast_pattern:only; pcre:"/^\x89PNG\x0d\x0a\x1a\x0a\x00{3}\x0dIHDR([^\x00]|\x00[^\x00]|.{4}[^\x00]|.{4}\x00[^\x00]|.{8}[\x11-\xff])/ms"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16716 WEB-CLIENT Sun Java Web Start Splashscreen PNG processing buffer overflow attempt trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"document|2E|createElement"; pcre:"/\x2Ereplace\x28\x2F(\x23\x7C?|\x5C\x24\x7C?|\x5C\x28\x7C?|\x26\x7C?|\x5C\x5E\x7C?|\x40\x7C?|\x5C\x21\x7C?|\x5C\x29\x7C?){8}\x2F\x69\x67\x2C\x20\x27\x27\x29/"; metadata:policy security-ips drop, service http; classtype:trojan-activity; 17058 SPECIFIC-THREATS Trojan-Downloader.JS.Agent.ewh Javascript download attempt www.virustotal.com/analisis/68b650e4f6c6e13c335a270ba5c3db3dc84012ec18c71841fcbbcb421000dec5-1262969947 23539 attempted-admin 2007-1681 tcp $EXTERNAL_NET any -> $HOME_NET [898,1024:] flow:to_server,established; content:"Lcom.sun.management.viperimpl.services.authentication.AuthenticationPrincipal"; content:"roleDescq|00|"; distance:0; content:"userDescq|00|"; distance:0; content:"3|25|065478x|25|6|24|n|25|065539x|25|6|24|hn|25|30|24|08189x|25|n|25|30|24|059148x|25|hn"; distance:0; metadata:policy security-ips drop; classtype:attempted-admin; 17109 SPECIFIC-THREATS Sun Java Web Console logging functionality format string exploit attempt attempted-user 2010-2560 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17132, service http, policy security-ips drop; 17132 EXPLOIT Microsoft Internet Explorer invalid object access attempt www.microsoft.com/technet/security/bulletin/MS10-053.mspx attempted-user 2010-2558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17136, service http, policy balanced-ips drop, policy security-ips drop; 17136 EXPLOIT Microsoft Internet Explorer 6 race condition exploit attempt www.microsoft.com/technet/security/bulletin/MS10-053.mspx 42154 attempted-user 2010-2709 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/OVCgi/webappmon.exe"; nocase; http_uri; content:"OvJavaLocale"; nocase; http_header; pcre:"/^Cookie\s*\x3A\s*OvJavaLocale\s*\x3D\s*.{1024}/imH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17140 WEB-MISC OpenView Network Node Manager OvJavaLocale buffer overflow attempt 39855 attempted-user 2010-1728 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"document.write"; content:"setInterval"; fast_pattern:only; nocase; pcre:"/function\s+(?P<func>[a-z\x5F]+).+?\x7B[^\x7D]+?document\x2Ewrite[^\x7D]+?setInterval\x28(?P=func)/is"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17165 WEB-CLIENT Opera browser document writing uninitialized memory access attempt 36343 attempted-user 2009-3075 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:".replace|28|"; pcre:"/(?P<var>\w+)\x2Ereplace\x28\s*(?P=var)\s*\x2C\s*(?P=var)\s*\x29/"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17166 WEB-CLIENT Mozilla multiple products JavaScript string replace buffer overflow attempt attempted-user 2005-1532 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, from_server; content:"arguments|2E|callee|2E|"; nocase; content:"|5F 5F|parent|5F 5F 2E|eval"; distance:0; fast_pattern; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17212 WEB-CLIENT Mozilla Firefox JavaScript eval arbitrary code execution attempt secunia.com/advisories/15528/ attempted-user 2005-2706 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; content:"window|2E|open"; nocase; content:"about|3A|mozilla"; within:50; nocase; content:"document|2E|write"; distance:0; nocase; content:"about|3A|config"; within:50; fast_pattern; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17213 WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt secunia.com/advisories/16911/ attempted-user 2009-3070 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; content:"-moz-column-"; fast_pattern:only; content:"documentElement.style.height"; pcre:"/<html[^>]*?height[^>]*?>/smi"; pcre:"/<body[^>]*?position[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?documentElement\.style\.height[^>]*?/smiR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17236 WEB-CLIENT Mozilla Firefox nsPropertyTable PropertyList memory corruption attempt secunia.com/advisories/36671/ attempted-user 2005-0230 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|img|20|"; content:"|2E|bat"; distance:0; fast_pattern; nocase; pcre:"/\x3cimg\s[^\x3e]*\x2ebat/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17245 WEB-CLIENT Mozilla Firefox image dragging exploit attempt 34181 attempted-user 2009-1044 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"selection|2E|timedSelect|28|1|2C|8000|29 3B|"; content:"tree|2E|view|2E|selection|3D|null|3B|"; distance:0; content:"delete|20|tree"; distance:0; content:"delete|20|selection"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17258 WEB-CLIENT Mozilla Firefox XUL tree element code execution attempt 17671 attempted-user 2006-1993 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"contentWindow.document.designMode = |22|on|22|"; content:"contentWindow.document.write"; within:100; content:"contentWindow.document.close"; within:100; content:"<iframe"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17260 SPECIFIC-THREATS Mozilla Firefox Javascript contentWindow in an iframe exploit attempt 17196 attempted-user 2006-1359 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; nocase; content:"<input type|3D 22|checkbox|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22checkbox\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17261 WEB-CLIENT Microsoft Internet Explorer createTextRange code execution attempt 17196 attempted-user 2006-1359 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:".createTextRange|28 29 3B|"; fast_pattern:only; nocase; content:"<input type|3D 22|radio|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22radio\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17262 WEB-CLIENT Microsoft Internet Explorer createTextRange code execution attempt 17196 attempted-user 2006-1359 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:".createTextRange|28 29 09 0A 0D 09 20 0A 20 0A 20 0D|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17263 SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt 12655 attempted-user 2005-0527 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"file|2E|initWithPath|28 22|c|3A 5C 5C 5C 5C|booom|2E|bat"; content:"xpcom|20 2B 3D 20 27|file|2E|createUnique"; content:"outputStream|2E|init|28|file|2C|0x04|7C|0x08|7C|0x20|2C|420"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17265 WEB-CLIENT Mozilla Firefox plugin access control bypass attempt 12884 attempted-user 2005-0402 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"onclick|3D 22|window|2E|sidebar|2E|addPanel|28 27|FSC|20|sidebar"; content:"http|3A 2F 2F|gsx3|2F 7E|swarelis|2F|CAN|2D|2005|2D|0402|2F|poc|2E|html"; distance:4; metadata:policy security-ips drop, service http; classtype:attempted-user; 17268 SPECIFIC-THREATS Mozilla Firefox sidebar panel arbitrary code execution attempt 14282 attempted-user 2005-2308 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; file_data; content:"|FF D8 FF|"; content:"|FF DA|"; distance:0; content:"|03|"; within:1; distance:2; content:"|01 00 02 11 01|"; within:5; metadata:policy security-ips drop, service http; classtype:attempted-user; 17355 WEB-CLIENT Microsoft Internet Explorer JPEG Decoder Vulnerabilities attempt 14916 attempted-user 2005-2701 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xbm; content:"static|20|char|20|gopher|5F|binary|5F|bits|5B 5D|"; content:"0x71|2C 20|0x26|2C 20|0x01|20 20 20 20 20 20|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 17360 WEB-CLIENT Mozilla Firefox XBM image processing buffer overflow attempt attempted-user 2008-4064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.png; content:"IHDR"; byte_test:4,>,32767,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17378 WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow attempted-user 2008-4064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.png; content:"IHDR"; byte_test:8,>,32767,4,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17379 WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow 18228 attempted-user 2006-2779 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document|2E|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2E|body|2E|appendChild|28|document|2E|getElementById|28|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17389 SPECIFIC-THREATS mozilla firefox DOMNodeRemoved attack attempt shellcode-detect tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:" shellcode"; fast_pattern:only; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; 17392 SHELLCODE JavaScript var shellcode shellcode-detect tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:" heapspray"; fast_pattern:only; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:shellcode-detect; 17393 SHELLCODE JavaScript var heapspray attempted-user 2008-2086 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.gif; content:"|46 38 39 61 FF FF FF FF B3 FF 00 FF FF FF CD CD CD A6 A6 A3 0E 0D 0D 05 05 83 ED EC EC AB AB B4|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17395 SPECIFIC-THREATS Sun Java Web Start Splashscreen GIF decoding buffer overflow attempt 33990 attempted-user 2009-0773 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"a|5B|10|5D 20 3D 20 22|AAAAAAAAAA|22 3B|"; content:"a|2E|splice|28|10|2C 20|1|29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17398 WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt 33990 attempted-user 2009-0773 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"a|5B|6|5D 20 3D 20 22|toto|22 3B|"; content:"a|2E|splice|28|6|2C 20|1|29 3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17399 WEB-CLIENT Mozilla Firefox Javascript array.splice memory corruption attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"var "; nocase; content:"unescape"; within:100; distance:5; nocase; pcre:"/var\s+[A-Z][A-Z\d\x5F]{5,}\s*=\s*unescape[\s\x3b]/smi"; flowbits:set,js.rename.unescape; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17400 WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation 32721 attempted-user 2008-4844 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,js.rename.unescape; content:"|25|53|25|52|25|43|25|3d|25|5c|25|5c|25|26|25|23"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17401 SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt - unescaped www.microsoft.com/technet/security/bulletin/ms08-078.mspx 32721 attempted-user 2008-4844 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"adong7"; nocase; content:"adong7"; distance:0; nocase; content:"datasrc"; distance:0; nocase; content:"datafld"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17402 SPECIFIC-THREATS Internet Explorer nested tag memory corruption attempt www.microsoft.com/technet/security/bulletin/ms08-078.mspx 12427 attempted-user 2005-0056 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|channel|20 0D 0A 20 20|href|3D 22|file|3A 2F 2F|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17411 SPECIFIC-THREATS Microsoft Internet Explorer CDF cross-domain scripting attempt www.microsoft.com/technet/security/bulletin/ms05-014.mspx 12998 attempted-user 2005-0989 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"x|20 3D 20|x|2E|replace|28 2F|end|2F|i|2C 20|function|28 24|1|29 7B 20|var|20|y|20 3D 20 22|any|22 3B 20|y|2E|match|28 2F|any|2F|i|29|"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17414 SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt 12998 attempted-user 2005-0989 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"var|20|mem|20 3D 20|genGluck|28 20 22|XXX"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17415 SPECIFIC-THREATS Mozilla Firefox Javascript Engine Information Disclosure attempt 13544 attempted-user 2005-1477 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"IconURL|3A 20 22|javascript|3A|"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17424 SPECIFIC-THREATS Mozilla Firefox IconURL Arbitrary Javascript Execution attempt 14918 attempted-user 2005-2702 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content|2D|Type|3A 20|text|2F|html"; http_header; content:"|3B 26 23|8204|3B 26 23|8204"; fast_pattern; metadata:policy security-ips drop, service http; classtype:attempted-user; 17434 WEB-CLIENT Mozilla Firefox Unicode sequence handling stack corruption attempt attempted-user 2009-0554 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17462, service http, policy balanced-ips drop, policy security-ips drop; 17462 WEB-CLIENT Microsoft Internet Explorer marquee object handling memory corruption attempt www.microsoft.com/technet/security/bulletin/ms09-014.mspx 15823 attempted-user 2005-2829 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; file_data; content:"spoffset()|20|{|0A 20 20 20 20 20 20|"; nocase; content:"var|20|mv|20|=|20|window|2E|navi"; within:20; nocase; content:"var|20|sp2"; within:7; distance:29; nocase; metadata:policy security-ips drop; classtype:attempted-user; 17463 SPECIFIC-THREATS Internet Explorer File Download Dialog Box Manipulation www.microsoft.com/technet/security/Bulletin/MS05-054.mspx 34169 attempted-user 2009-0927 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"|55 1E 42 91 74 A1 4A FA 21 C7 DB 53 14 DE DE 9E A4 6A CD ED 29 C7 4E DE 9E BC ED 49 B3 35 11 D6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17471 SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt 34169 attempted-user 2009-0927 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"|B3 2E 86 F7 BA C8 F4 4A 2B C7 AB 99 E8 6B 72 99 39 40 C7 59 B1 2E C9 D1 AE 0C 6E 39 A8 E5 DC 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17472 SPECIFIC-THREATS Adobe Acrobat JavaScript getIcon method buffer overflow attempt 12131 attempted-user 2004-1316 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"news|3A 2F 2F|"; pcre:"/news\x3a\x2f\x2f.*?\x2f?(profile|search).*?\x2f.*?\x5c[^\s\x22\x27]{0,1}/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17482 WEB-CLIENT Mozilla NNTP URL Handling Buffer Overflow attempt 16687 attempted-dos 2006-0753 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<script"; nocase; content:"javascript"; distance:0; nocase; content:"location="; distance:0; nocase; pcre:"/javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\}/sim"; metadata:policy security-ips drop, service http; classtype:attempted-dos; 17487 WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt 31346 attempted-user 2008-0016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<a href=|22 01 78 78|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17519 SPECIFIC-THREATS Mozilla Firefox UTF-8 URL Handling Stack Buffer Overflow 31879 attempted-user 2008-4726 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_client,established; content:"Content-Encoding: pack200-gz"; nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17522 SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow 25916 attempted-admin 2007-3892 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"for|20 28|i=0|3B 20|i<20|3B 20|i++|29 7B|"; nocase; content:"document|2E|location|2E|href|3D|fileURL|3B|"; within:32; distance:11; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17549 SPECIFIC-THREATS Internet Explorer Error Handling Code Execution 26817 attempted-user 2007-5344 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"getElementsByTagName"; nocase; content:"removeNode|28|true|29|"; distance:0; fast_pattern; nocase; pcre:"/\x2EgetElementsByTagName\x28[^\x29]+?\x2EremoveNode\x28true\x29/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17554 SPECIFIC-THREATS Microsoft Internet Explorer DOM object cache management memory corruption attempt 30986 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c\s*}?\s*(?P=q1)(\s|>).*?<param\s*name\s*=\s*operation[^>]+?value\s*=\s*[^\s][^\x22\x27\s]{512}/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17557 WEB-ACTIVEX Novell iPrint ActiveX operation parameter overflow support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5028061.html 32608 misc-attack 2008-5352 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"Content-Encoding|3A 20|pack200-gzip"; nocase; content:"|C3 B5 17 B7 9E B8 31 F3 30 32 33 31 31 32 32 30|"; distance:0; content:"|7D FF A4 AC D4 E4 92 E0 92 A2 CC BC F4 82 FC 64|"; within:16; distance:64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-attack; 17562 SPECIFIC-THREATS Sun Java Runtime Environment Pack200 Decompression Integer Overflow attempt 32608 attempted-user 2008-5354 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|1D 79 05 13 28 88 55 51 C2 A4 84 29 05 12 0C 19|"; content:"|F1 2B C6 40 A1 3D C6 60 81 A8 5D 28 34 30 44 06|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17563 SPECIFIC-THREATS Sun Java Runtime Environment JAR File Processing Stack Buffer Overflow 35224 attempted-user 2009-1530 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"activate|20|=|20|function|20|()"; nocase; pcre:"/on(before|de)activate\s*\x3d\s*function\s*\x28\x29\s*\x7b\s*call(back|malFunc)\x28\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17566 SPECIFIC-THREATS Microsoft Internet Explorer 7 Event Handler Memory Corruption 28448 attempted-user 2008-1236 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"contentDocument.designMode"; nocase; content:"addEvenListener|28|"; distance:0; nocase; content:"iframe.style.position"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17570 SPECIFIC-THREATS Mozilla Firefox IFRAME style change handling code execution www.mozilla.org/security/announce/2008/mfsa2008-15.html 17468 attempted-user 2006-1188 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"<pre>|0A 09 09|<span style=|22|white-space|3A|normal|3B 22 2F|><span>"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17580 SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt 17516 attempted-user 2006-0749 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<table>|0A|<html>|0A|<frameset>"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17581 SPECIFIC-THREATS Mozilla Firefox tag order memory corruption attempt 22678 attempted-user 2007-1094 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"document.write("; content:"body|20|onunload=|22|exploit"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17585 SPECIFIC-THREATS Internet Explorer possible javascript onunload event memory corruption 11726 attempted-user 2004-1029 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<jnlp "; nocase; content:"<resources>"; distance:0; nocase; content:" -classpath"; distance:0; fast_pattern; nocase; pcre:"/<property[^>]*?value\s*=\s*(?P<q1>\x22|\x27).*? -classpath.*?(?P=q1)/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17586 WEB-CLIENT Sun Java Web Start malicious parameter value 11366 attempted-user 2004-0216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E449683-C509-11CF-AAFA-00AA00B6015C\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(BaseUrl|SetCifFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*6E449683-C509-11CF-AAFA-00AA00B6015C\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(BaseUrl|SetCifFile))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17588 WEB-ACTIVEX Microsoft Internet Explorer Install Engine ActiveX clsid access www.microsoft.com/technet/security/Bulletin/MS04-038.mspx 11366 attempted-user 2004-0216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6|00|E|00|4|00|4|00|9|00|6|00|8|00|3|00|-|00|C|00|5|00|0|00|9|00|-|00|1|00|1|00|C|00|F|00|-|00|A|00|A|00|F|00|A|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|B|00|6|00|0|00|1|00|5|00|C|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*6\x00E\x004\x004\x009\x006\x008\x003\x00-\x00C\x005\x000\x009\x00-\x001\x001\x00C\x00F\x00-\x00A\x00A\x00F\x00A\x00-\x000\x000\x00A\x00A\x000\x000\x00B\x006\x000\x001\x005\x00C\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17589 WEB-ACTIVEX Microsoft Internet Explorer Install Engine ActiveX clsid unicode access www.microsoft.com/technet/security/Bulletin/MS04-038.mspx 32281 attempted-user 2008-5016 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset, xul.download; content:"style="; content:"<treechildren"; nocase; content:"<treechildren"; distance:0; nocase; content:"ordinal"; content:"event.target.parentNode.removeChild"; fast_pattern:only; nocase; pcre:"/onoverflow\s*=\s*(\x22|\x27)\s*event.target.parentNode.removeChild/smi"; pcre:"/<treechildren.*ordinal=.*<treechildren/smi"; pcre:"/<tree .*tree(?!children).*<treechildren.*<treechildren/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17601 WEB-CLIENT Mozilla Firefox file type memory corruption attempt www.mozilla.org/security/announce/2008/mfsa2008-52.html 32281 attempted-user 2008-5021 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"type="; nocase; content:"file"; within:7; distance:1; nocase; content:"getElement"; nocase; pcre:"/var\s*(?P<varname>[^\s]*)\s*\x3d\s*[^\x2E]*\x2EgetElement[^\x28]*\x28(\x22|\x27)(?P<elementid>[^\x22\x27]*)(\x22|\x27)\x29.*(?P=varname)\x2etype\s*\x3D\s*(\x22|\x27)(?!file).*id\s*\x3d\s*(\x22|\x27)(?P=elementid)[^>]*type\s*=\s*(\x22|\x27)file/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17603 WEB-CLIENT Mozilla Firefox file type memory corruption attempt www.mozilla.org/security/announce/2008/mfsa2008-55.html 21675 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"java/awt/image/ConvolveOp|0C 00 0E 00 23 01 00|"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17604 SPECIFIC-THREATS Java AWT ConvolveOp memory corruption attempt sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 37874 attempted-admin 2010-0361 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"COPY"; depth:4; nocase; isdataat:200,relative; pcre:"/^COPY(?!\n)\s[^\n]{200}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17609 WEB-MISC Sun Java Web Server Webdav Stack Buffer Overflow attempt 35326 attempted-user 2009-1392 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"first-letter"; nocase; content:"direction"; distance:0; nocase; content:"rtl"; within:8; content:"whitespace |3D| "; distance:0; nocase; content:"pre"; within:10; nocase; content:"|3C|span"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17613 WEB-MISC Mozilla Firefox browser engine memory corruption attempt attempted-user 2007-3902 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; content:"obj|2E|setExpression|28 22|width"; fast_pattern; nocase; content:"|22 2C 22|document|2E|body|2E|offsetWidth|22 29|"; within:30; metadata:policy security-ips drop, service http; classtype:attempted-user; 17622 SPECIFIC-THREATS Microsoft Internet Explorer object reference memory corruption attempt www.securityfocus.com/bid/26506 34240 attempted-user 2009-1099 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|63 3B 84 6A B2 84 BC F8 B0 41 1B 77 2D E5 CE 32 34 0D C6 F2 8A F4 08 57 E4 45 19 76 E7 51 82 43 3C F9 F3 33 A3 8B D8 41 C0 D4 E6 8B F9 E0 12 EB|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17623 SPECIFIC-THREATS Sun Java Runtime Environment Type1 Font parsing integer overflow attempt 34240 attempted-user 2009-1099 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|1F 8B 08 08 D4 73 61 49 00 03 65 2E 70 61 63 6B 00 ED CE 3B 4B 03 41 10 00 E0 D9 7B C7 3B 15 63 63 2D 16 8A 8F D3 68 17 11 22 E4 34 21 31 82 31|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17624 SPECIFIC-THREATS Sun Java Runtime Environment Type1 Font parsing integer overflow attempt 22085 attempted-user 2007-0243 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|52 4B 55 F6 EF DF 63 70 A3 6C 5C 5B 48 71 BB 7A 70 77 3B 44 69 5B|"; fast_pattern:only; metadata:policy security-ips drop; classtype:attempted-user; 17628 SPECIFIC-THREATS Sun Microsystems Java gif handling memory corruption attempt 14920 attempted-user 2005-2706 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; content:"window|2E|open"; nocase; content:"about:"; within:10; nocase; content:"document|2E|write"; distance:0; nocase; content:"about:"; within:30; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17629 WEB-CLIENT Mozilla Firefox Chrome Page Loading Restriction Bypass attempt 29802 attempted-user 2008-2785 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"counter|2D|reset|3A|"; content:"counter|2D|increment|3A|"; distance:0; content:"|3C|ol|20|id|3D 22|id1|22 3E 0A|"; distance:0; content:"|3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A 3C|li|3E 3C 2F|li|3E 0A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17630 WEB-CLIENT Mozilla multiple products CSSValue array memory corruption attempt 30148 attempted-user 2008-3111 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|j2se"; content:"java|2D|vm|2D|args"; pcre:"/\x3cj2se[^\x3e]*java\x2dvm\x2dargs\s*\x3d\s*\x22[^\x22]*\x2dea\x3a[^\s\x22\x3e]{100}/si"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17631 WEB-CLIENT Sun Java Web Start JNLP java-vm-args buffer overflow attempt 35765 attempted-user 2009-2462 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"first-letter"; nocase; content:"float: right"; distance:0; nocase; content:"parentNode.removeAttribute(|22|class|22|)"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17642 WEB-CLIENT Mozilla Firefox ConstructFrame with floating first-letter memory corruption attempt attempted-user 2009-0075 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"var nopsled"; nocase; content:"cloneNode|28 29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17644 SPECIFIC-THREATS Internet Explorer object clone deletion memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-002.mspx attempted-user 2007-0943 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"text-decoration"; nocase; pcre:"/\x2E[A-Z\d_]+\s*\x7b\s*text-decoration[^\x3A]*?\x7d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17645 WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt www.microsoft.com/technet/security/bulletin/ms07-045.mspx 39346 attempted-user 2010-1423 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; nocase; content:"jnlpDocbase=|22|ABBA|3A|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17660 SPECIFIC-THREATS Java Web Start arbitrary command execution attempt attempted-user 2010-0806 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17685, service http, policy balanced-ips drop, policy security-ips drop; 17685 EXPLOITS Internet Explorer invalid pointer memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-018.mspx attempted-user 2010-0806 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17686, service http, policy balanced-ips drop, policy security-ips drop; 17686 EXPLOITS Internet Explorer invalid pointer memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-018.mspx attempted-user 2010-0806 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17687, service http, policy balanced-ips drop, policy security-ips drop; 17687 EXPLOITS Internet Explorer invalid pointer memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-018.mspx attempted-user 2010-0806 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17688, service http, policy balanced-ips drop, policy security-ips drop; 17688 WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt support.microsoft.com/kb/980182 attempted-user 2010-0806 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17689, service http, policy balanced-ips drop, policy security-ips drop; 17689 WEB-CLIENT Internet Explorer userdata behavior memory corruption attempt support.microsoft.com/kb/980182 30612 attempted-user 2008-2259 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17692, service http, policy balanced-ips drop, policy security-ips drop; 17692 WEB-CLIENT Microsoft Internet Explorer ExecWB security zone bypass attempt www.microsoft.com/technet/security/bulletin/MS08-045.mspx 12602 misc-activity 2005-0500 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"window.open|28|"; nocase; content:"authentication.trusted.com"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:misc-activity; 17703 SPECIFIC-THREATS Internet Explorer popup title bar spoofing attempt 34424 attempted-user 2009-0553 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17709, service http, policy balanced-ips drop, policy security-ips drop; 17709 WEB-CLIENT Microsoft Internet Explorer EMBED element memory corruption attempt www.microsoft.com/technet/security/Bulletin/MS09-014.mspx 34743 attempted-user 2009-1313 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"white-space|3A| pre"; content:"getElementById|28|'para'|29|.childNodes[0].splitText|28|11|29|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17719 SPECIFIC-THREATS Mozilla Firefox ClearTextRun exploit attempt attempted-user 2008-2255 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17720, service http, policy security-ips drop; 17720 WEB-CLIENT Microsoft Internet Explorer static text range overflow attempt www.microsoft.com/technet/security/bulletin/MS08-045.mspx 17404 misc-activity 2006-1626 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"win = window.open|28 27|test.swf|27|"; nocase; content:"win = window.open|28 27|http|3A 2F 2F|"; within:100; nocase; metadata:policy security-ips drop, service http; classtype:misc-activity; 17726 SPECIFIC-THREATS Internet Explorer address bar spoofing attempt 34424 attempted-user 2009-0553 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<embed type=|27 22| + asMimeTypes.shift"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17729 SPECIFIC-THREATS Microsoft Internet Explorer EMBED element memory corruption attempt www.microsoft.com/technet/security/Bulletin/MS09-014.mspx attempted-admin 2010-1883 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,eot.download; metadata: engine shared, soid 3|17747, service http, policy balanced-ips drop, policy security-ips drop; 17747 EXPLOIT Microsoft Internet Explorer compressed HDMX font processing integer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-076.mspx attempted-user 2010-3330 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17771, service http, policy balanced-ips drop, policy security-ips drop; 17771 EXPLOIT Microsoft Internet Explorer cross-domain information disclosure attempt www.microsoft.com/technet/security/bulletin/MS10-071.mspx 17196 attempted-user 2006-1359 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".createTextRange|28 29 3B|"; fast_pattern:only; nocase; content:"<input type|3D 22|image|22|"; nocase; pcre:"/\x3Cinput\s+type\x3D\x22image\x22\s+id\x3D(?P<q1>(\x22|\x27|))(?P<t>\S+)(?P=q1).*?document\x2EgetElementById\x28(?P<q2>(\x22|\x27|))(?P=t)(?P=q2)\x29\x2EcreateTextRange/isO"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17781 SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt attempted-user 2010-3765 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"var tags = new Array|28 22|audio|22|, |22|a|22|, |22|base|22 29|"; nocase; content:"var html = |22|<|22| + tags[i] + |22| |22| + atts[j]"; distance:0; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17804 WEB-CLIENT Mozilla Firefox html tag attributes memory corruption attempted-user 2010-3962 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18062, service http, policy balanced-ips drop, policy security-ips drop; 18062 WEB-CLIENT Microsoft Internet Explorer CSS style memory corruption attempt www.microsoft.com/technet/security/advisory/2458511.mspx attempted-user 2006-1739 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|25 6E 25 6E 25 6E 25 6E 25 6E 25 6E 22 45 57 49 44 54 48 3D 6C 65 66 74 20 53 49 5A 45 3D 8B 8B 8B 8B 8B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18077 SPECIFIC-THREATS Mozilla products CSS rendering out-of-bounds array write attempt osvdb.org/show/osvdb/24660 attempted-user 2006-1739 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|HR WIDTH|3D|4444444 COLOR|3D 22 23|000000|22 3E|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18078 SPECIFIC-THREATS Mozilla products CSS rendering out-of-bounds array write attempt osvdb.org/show/osvdb/24660 attempted-admin 2010-4091 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,http.pdf; metadata: engine shared, soid 3|18102, service http, policy balanced-ips drop, policy security-ips drop; 18102 WEB-CLIENT Adobe Reader invalid PDF JavaScript extension call www.adobe.com/support/security/bulletins/apsb10-28.html 35660 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"%u9090%u9090"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 18167 WEB-CLIENT Possible generic javascript heap spray attempt 35660 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"%u4141%u4141"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 18168 WEB-CLIENT Possible generic javascript heap spray attempt 10816 attempted-user 2004-0842 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C 73 74 79 6C 65 3E 3B 40 2F 2A|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18174 SPECIFIC-THREATS Microsoft Internet Explorer CSS memory corruption attempt 10816 attempted-user 2004-0842 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C 73 74 79 6C 65 3E 40 3B 2F 2A|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18175 SPECIFIC-THREATS Microsoft Internet Explorer CSS memory corruption attempt 17516 attempted-user 2006-1738 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|button onclick|3D 22|document|2E|getElementsByTagName|28 27|row|27 29 5B|0|5D 2E|style|2E|display|3D 27 2D|moz|2D|grid|2D|group|27 22|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18186 SPECIFIC-THREATS Mozilla products -moz-grid and -moz-grid-group display styles code execution attempt 17516 attempted-user 2006-1790 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"InstallTrigger.install.call|28|document|2C 22|a|22 2C 22|a|22 29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18187 SPECIFIC-THREATS Mozilla Firefox InstallTrigger.install memory corruption attempt attempted-user 2010-3971 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"@import "; content:"@import "; distance:0; content:"@import "; distance:0; pcre:"/\x40import (url\x28)?\x22([^\x22]+)\x22.*\x40import (url\x28)?\x22\2\x22.*\x40import (url\x28)?\x22\2\x22/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18196 WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt www.vupen.com/english/advisories/2010/3156 attempted-user 2010-3343 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18216, service http, policy balanced-ips drop, policy security-ips alert; 18216 WEB-CLIENT Microsoft Internet Explorer 6 #default#anim attempt www.microsoft.com/technet/security/bulletin/MS10-090.mspx attempted-user 2010-3345 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18217, service http, policy balanced-ips drop, policy security-ips alert; 18217 SPECIFIC-THREATS Microsoft Internet Explorer 8 select element execution attempt www.microsoft.com/technet/security/bulletin/MS10-090.mspx attempted-user 2010-3346 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18218, service http, policy security-ips alert; 18218 SPECIFIC-THREATS Microsoft Internet Explorer html time manipulation attempt www.microsoft.com/technet/security/bulletin/MS10-090.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"location.search.substring|28|1|29|"; nocase; content:".charCodeAt|28|"; within:200; pcre:"/var\s+(\w+)\s*=\s*location\.search\.substring\(1\).{1,200}\1\.charCodeAt\(i\x25\1\.length\)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18239 WEB-CLIENT known malicious JavaScript decryption routine attempted-user 2010-3971 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; distance:0; content:"@|00|i|00|m|00|p|00|o|00|r|00|t|00| |00|"; distance:0; pcre:"/\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00([^\x22]+)\x22\x00.*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22.*\x40\x00i\x00m\x00p\x00o\x00r\x00t\x00 \x00(u\x00r\x00l\x00\x28\x00)?\x22\x00\2\x22/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18240 WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt www.vupen.com/english/advisories/2010/3156 44023 attempted-user 2010-3552 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"launchjnlp"; fast_pattern; nocase; content:"docbase"; within:100; nocase; pcre:"/name\s*=\s*[\x22\x27]docbase[\x22\x27]\s+value\s*=\s*[\x22\x27][^\x22\x27]{200}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18244 WEB-CLIENT Sun Java browswer plugin docbase overflow attempt osvdb.org/show/osvdb/69054 44023 attempted-user 2010-3552 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"name=|22|docbase|22| value=|22 27| + "; nocase; content:"sBoF"; within:20; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18245 SPECIFIC-THREATS Sun Java browswer plugin docbase overflow attempt osvdb.org/show/osvdb/69054 16476 attempted-user 2006-0297 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"alert|28|xx.toXMLString"; fast_pattern:only; content:"for|28|i=0|3B|i<|28|1024*1024|29|/2|3B|i++|29| m += |22 5C|n|22 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 18250 SPECIFIC-THREATS Mozilla products EscapeAttributeValue integer overflow attempt attempted-user 2005-0555 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.rat; file_data; content:"name"; nocase; pcre:"/rating\x2Dservice.{0,300}\x28\s*name\s*\x22[^\x22]{261}/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 3686 WEB-CLIENT Microsoft Internet Explorer Content Advisor memory corruption attempt www.microsoft.com/technet/security/Bulletin/MS05-020.mspx 14087 attempted-user 2005-2087 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"03D9F3F2-B0E3-11D2-B081-006008039BF0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*03D9F3F2-B0E3-11D2-B081-006008039BF0/si"; metadata:policy security-ips drop; classtype:attempted-user; 3814 WEB-CLIENT IE javaprxy.dll COM access www.osvdb.org/displayvuln.php?osvdb_id=17680 667 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1/si"; metadata:policy security-ips drop; classtype:attempted-user; 4169 WEB-ACTIVEX Internet Explorer Active Setup ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS99-037.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"BC5F1E51-5110-11D1-AFF5-006097C9A284"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC5F1E51-5110-11D1-AFF5-006097C9A284/si"; metadata:policy security-ips drop; classtype:attempted-user; 4198 WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"F27CE930-4CA3-11D1-AFF2-006097C9A284"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F27CE930-4CA3-11D1-AFF2-006097C9A284/si"; metadata:policy security-ips drop; classtype:attempted-user; 4199 WEB-ACTIVEX Internet Explorer Blnmgrps.dll ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"208DD6A3-E12B-4755-9607-2E39EF84CFC5"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*208DD6A3-E12B-4755-9607-2E39EF84CFC5/si"; metadata:policy security-ips drop; classtype:attempted-user; 4210 WEB-ACTIVEX Internet Explorer Msb1geen.dll ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0006F02A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F02A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4222 WEB-ACTIVEX Internet Explorer Outllib.dll ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC/si"; metadata:policy security-ips drop; classtype:attempted-user; 4235 WEB-ACTIVEX Helper Object for Java ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-052.mspx 13799 attempted-user 2005-1790 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"body"; nocase; content:"onLoad"; distance:0; nocase; content:"window"; distance:0; nocase; pcre:"/<body\s+[^>]*onLoad\s*=\s*[\x22\x27]?window\(\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 4647 WEB-CLIENT internet explorer javascript onload overflow attempt www.microsoft.com/technet/security/bulletin/MS05-054.mspx 13799 attempted-user 2005-1790 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"prompt"; nocase; content:"fillmem"; distance:0; nocase; content:"body"; nocase; content:"onLoad"; distance:0; nocase; content:"setTimeout"; distance:0; nocase; pcre:"/prompt\(fillmem[^\)]*\).*?<body\s+[^>]*onLoad\s*=\s*[\x22\x27]?setTimeout\(/smi"; metadata:policy security-ips drop; classtype:attempted-user; 4917 WEB-CLIENT internet explorer javascript onload prompt obfuscation overflow attempt www.microsoft.com/technet/security/bulletin/MS05-054.mspx 18198 attempted-user 2006-2766 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"mhtml|3A|//"; nocase; pcre:"/href\s*=\s*(\x22mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x22]{1253}|\x27mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x27]{1253}|mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\x09\r\n\x20]{1253})/smi"; metadata:policy security-ips drop; classtype:attempted-user; 6509 WEB-CLIENT Internet Explorer mhtml uri href buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms06-043.mspx 18198 attempted-user 2006-2766 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"URL"; nocase; content:"mhtml|3A|//"; distance:0; nocase; pcre:"/^\s*URL\s*=\s*mhtml\x3A\x2F\x2F[A-Z\x2D]{2,31}\x3A[^\r\n]{1253}/smi"; metadata:policy security-ips drop; classtype:attempted-user; 6510 WEB-CLIENT Internet Explorer mhtml uri shortcut buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms06-043.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"01E04581-4EEE-11D0-BFE9-00AA005B4383"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01E04581-4EEE-11D0-BFE9-00AA005B4383/si"; metadata:policy security-ips drop; classtype:attempted-user; 8019 WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|1|00|E|00|0|00|4|00|5|00|8|00|1|00|-|00|4|00|E|00|E|00|E|00|-|00|1|00|1|00|D|00|0|00|-|00|B|00|F|00|E|00|9|00|-|00|0|00|0|00|A|00|A|00|0|00|0|00|5|00|B|00|4|00|3|00|8|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x001\x00E\x000\x004\x005\x008\x001\x00-\x004\x00E\x00E\x00E\x00-\x001\x001\x00D\x000\x00-\x00B\x00F\x00E\x009\x00-\x000\x000\x00A\x00A\x000\x000\x005\x00B\x004\x003\x008\x003\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8020 WEB-ACTIVEX Internet Explorer Address Bar ActiveX CLSID unicode access www.microsoft.com/technet/security/bulletin/ms05-038.mspx 19181 attempted-user 2006-3677 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"window.navigator"; nocase; content:"="; within:2; content:"java."; distance:0; nocase; metadata:policy security-ips drop; classtype:attempted-user; 8058 WEB-CLIENT Mozilla javascript navigator object access www.mozilla.org/security/announce/2006/mfsa2006-45.html 20042 attempted-user 2006-4566 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"new RegExp|28|"; nocase; pcre:"/^(?=[^\x29]*\x5c{2}[\x22\x27])[^\x29]*\x5b[^\x5d]*\x5c{2}[\x22\x27]/R"; metadata:policy security-ips drop, service http; classtype:attempted-user; 8443 WEB-CLIENT Mozilla regular expression heap corruption attempt 14087 attempted-user 2005-2087 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|3|00|D|00|9|00|F|00|3|00|F|00|2|00|-|00|B|00|0|00|E|00|3|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|0|00|8|00|1|00|-|00|0|00|0|00|6|00|0|00|0|00|8|00|0|00|3|00|9|00|B|00|F|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x003\x00D\x009\x00F\x003\x00F\x002\x00-\x00B\x000\x00E\x003\x00-\x001\x001\x00D\x002\x00-\x00B\x000\x008\x001\x00-\x000\x000\x006\x000\x000\x008\x000\x003\x009\x00B\x00F\x000\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9628 WEB-ACTIVEX javaprxy.dll ActiveX clsid unicode access www.osvdb.org/displayvuln.php?osvdb_id=17680 attempted-user 2007-0046 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".pdf|23|"; nocase; content:"document."; distance:0; nocase; pcre:"/\x2Epdf\x23[^\r\n]+\x3Djavascript\x3A[^\r\n]*document\x2E\w+/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9843 WEB-CLIENT Adobe Acrobat Plugin JavaScript parameter double free attempt www.adobe.com/support/security/advisories/apsa07-01.html 320 Client / Browser 23532 attempted-user 2007-2126 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"dbms_snap_internal.delete_refresh_operations"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{46,}\x27|\x22[^\x22]{46,}\x22)[\r\n\s]*\x3b.*snap_name[\r\n\s]*=>[\r\n\s]*\2|snap_name\s*=>\s*(\x27[^\x27]{46}|\x22[^\x22]{46})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*(\x27[^\x27]{46}|\x22[^\x22]{46}))/si"; classtype:attempted-user; 11000 ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html 23532 attempted-user 2007-2126 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"dbms_snap_internal.delete_refresh_operations"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{32,}\x27|\x22[^\x22]{32,}\x22)[\r\n\s]*\x3b.*snap_owner[\r\n\s]*=>[\r\n\s]*\2|snap_owner\s*=>\s*(\x27[^\x27]{32,}|\x22[^\x22]{32,})|\(\s*(\x27[^\x27]{32,}|\x22[^\x22]{32,}))/si"; classtype:attempted-user; 11001 ORACLE dbms_snap_internal.delete_refresh_operations buffer overflow attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html 23532 attempted-user 2007-2126 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"dbms_snap_internal.generate_refresh_operations"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{46,}\x27|\x22[^\x22]{46,}\x22)[\r\n\s]*\x3b.*snap_name[\r\n\s]*=>[\r\n\s]*\2|snap_name\s*=>\s*(\x27[^\x27]{46,}|\x22[^\x22]{46,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*(\x27[^\x27]{46,}|\x22[^\x22]{46,}))/si"; classtype:attempted-user; 11002 ORACLE dbms_snap_internal.generate_refresh_operations buffer overflow attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html 23532 attempted-user 2007-2126 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"dbms_snap_internal.generate_refresh_operations"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{32,}\x27|\x22[^\x22]{32,}\x22)[\r\n\s]*\x3b.*snap_owner[\r\n\s]*=>[\r\n\s]*\2|snap_owner\s*=>\s*(\x27[^\x27]{32,}|\x22[^\x22]{32,})|\(\s*(\x27[^\x27]{32,}|\x22[^\x22]{32,}))/si"; classtype:attempted-user; 11003 ORACLE dbms_snap_internal.generate_refresh_operations buffer overflow attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html 24423 attempted-user 2007-1750 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"style"; nocase; content:"csstext"; distance:0; nocase; pcre:"/\x3c[^\x3e]*style\s*=[^\x3e]*?csstext\x3a/smi"; classtype:attempted-user; 11966 WEB-CLIENT Microsoft Internet Explorer CSS tag memory corruption attempt www.microsoft.com/technet/security/bulletin/MS07-033.mspx 22966 misc-attack 2007-1499 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"about|3A|cancel|23|"; nocase; metadata:service http; classtype:misc-attack; 12014 WEB-MISC Internet Explorer navcancl.htm url spoofing attempt www.microsoft.com/technet/security/bulletin/MS07-033.mspx attempted-user 2007-5045 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"-chrome"; pcre:"/-chrome\s*javascript/"; classtype:attempted-user; 12593 EXPLOIT Firefox Quicktime chrome exploit attempted-admin 2007-5243 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4, >, 152, 4, relative; classtype:attempted-admin; 13840 EXPLOIT Borland Interbase service attach operation buffer overflow attempted-admin 2007-5243 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00 14|"; depth:4; byte_test:4, >, 540, 4, relative; classtype:attempted-admin; 13841 EXPLOIT Borland Interbase create operation buffer overflow attempted-admin 2007-5243 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00 13|"; depth:4; byte_test:4, >, 1024, 4, relative; classtype:attempted-admin; 13842 EXPLOIT Borland Interbase operation buffer overflow attempted-user 2008-2257 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13974; 13974 WEB-CLIENT Internet Explorer XHTML element memory corruption attempt www.microsoft.com/technet/security/bulletin/MS08-045.mspx 29736 attempted-user 2008-2908 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c\s*}?\s*(?P=q1)[^>]*>.*<param\s*[^>]*\s*name\s*=\s*(operation|printer-url)[^>]*\s*value\s*=\s*(\x22[^>\s\x22]{256}|\x27[^>\s\x27]{256}|[^>\s]{256})/Osmi"; metadata:service http; classtype:attempted-user; 14037 WEB-ACTIVEX Novell iPrint ActiveX operation or printer-url parameter overflow attempt attempted-user 2009-1141 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15531; 15531 WEB-CLIENT Microsoft Internet Explorer Unexpected method call remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx misc-attack 2009-1531 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|15538; 15538 WEB-CLIENT Microsoft Internet Explorer onreadystatechange memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx misc-activity 2003-1025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"%01@"; pcre:"/http\x3A\x2f\x2f[^\r\n]+\x2501\x40/smi"; metadata:service http; classtype:misc-activity; 15933 WEB-CLIENT Internet Explorer URL canonicalization address bar spoofing attempt www.microsoft.com/technet/security/bulletin/ms04-004.mspx 24283 misc-activity 2007-3091 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"win = open|28 22|poc_dummy.html|22|,|22|victim|22 29 3B|"; metadata:service http; classtype:misc-activity; 16010 SPECIFIC-THREATS Microsoft Internet Explorer Javascript Page update race condition attempt 23769 attempted-user 2007-0945 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"oa.cols=0x41414141|3B|"; content:"ob.mergeAttributes|28|oa,1|29 3B|"; distance:0; metadata:service http; classtype:attempted-user; 16011 SPECIFIC-THREATS Microsoft Internet Explorer CSS property method handling memory corruption attempt attempted-user 2009-2507 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16155; 16155 WEB-CLIENT Internet Explorer indexing service malformed parameters www.microsoft.com/technet/security/Bulletin/MS09-057.mspx 29802 attempted-user 2008-2785 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"counter-reset|3A| section"; nocase; content:"<li></li>|0A|<li></li>|0A|<li></li>|0A|<li></li>|0A|<li></li>|0A|"; distance:0; nocase; classtype:attempted-user; 16292 SPECIFIC-THREATS Mozilla CSS value counter overflow attempt www.mozilla.org/security/announce/2008/mfsa2008-34.html attempted-user 2009-3674 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16330; 16330 WEB-CLIENT Microsoft Internet Explorer orphan DOM objects memory corruption attempt www.microsoft.com/technet/security/bulletin/MS09-072.mspx attempted-user 2010-0248 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16378; 16378 WEB-CLIENT Internet Explorer deleted object cells reference memory corruption vulnerability 38519 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content-Length"; nocase; http_header; pcre:"/^Content-Length\s*\x3A\s*[^\n]{20}/miH"; classtype:attempted-user; 16481 WEB-CLIENT Opera Content-Length header integer overflow attempt www.hack0wn.com/view.php?xroot=672.0&cat=exploits attempted-user 2010-0491 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16507; 16507 WEB-CLIENT Internet Explorer onreadystatechange memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-user 2010-1939 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"parent"; content:".prompt"; distance:0; pcre:"/var\s+(\w+)\s*\x3D\s*parent\s*\x3b.*\1\x2Eprompt.*\1\x2Eclose/smi"; metadata:service http; classtype:attempted-user; 16596 WEB-CLIENT Apple Safari information disclosure and remote code execution attempt secunia.com/advisories/39670 38691 attempted-user 2010-0054 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"removeChild(document.getElementsByTagName(|22|img|22|)[0])"; classtype:attempted-user; 16631 SPECIFIC-THREATS Safari image use after remove attempt "support.apple.com/kb/HT4070" 38691 attempted-user 2010-0054 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"imgBar = document.body.getElementsByTagName(|22|img|22|)[0]"; classtype:attempted-user; 16632 SPECIFIC-THREATS Safari image use after reparent attempt "support.apple.com/kb/HT4070" 4858 web-application-attack 2002-0902 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"img src=javascript"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1667 WEB-MISC cross site scripting HTML Image tag set to javascript attempt attempted-user 2010-1258 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17115; 17115 WEB-CLIENT Microsoft Internet Explorer cross domain information disclosure attempt www.microsoft.com/technet/security/bulletin/MS10-053.mspx attempted-dos 2010-2556 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|17129; 17129 WEB-CLIENT Internet Explorer use-after-free memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-053.mspx 41933 attempted-user 2010-2755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<object"; nocase; content:"|22 22|"; within:200; fast_pattern; pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x22\x22/i"; metadata:service http; classtype:attempted-user; 17153 WEB-CLIENT Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 41933 attempted-user 2010-2755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<object"; nocase; content:"|27 27|"; within:200; fast_pattern; pcre:"/\x3Cobject(?![^\x3E]+?src)[^\x3E]+?data\s*\x3D\s*\x27\x27/i"; metadata:service http; classtype:attempted-user; 17154 WEB-CLIENT Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 17634 attempted-user 2006-1986 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"cellspacing"; nocase; pcre:"/^\s*\x3D\s*\d{10}/R"; metadata:service http; classtype:attempted-user; 17216 WEB-CLIENT Apple Safari TABLE tag with large CELLSPACING attribute exploit attempt 17634 attempted-user 2006-1987 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"<frame"; nocase; content:"scrolling"; within:100; nocase; isdataat:10,relative; content:!"auto"; within:10; nocase; content:!"yes"; within:10; nocase; content:!"no"; within:10; nocase; pcre:"/\x3Cframe([^\x3E]+scrolling\s*\x3D(?!\s*(\x22|\x27)?\s*(yes|no|auto))){2}/i"; classtype:attempted-user; 17217 WEB-CLIENT Apple Safari invalid FRAME tag remote code execution attempt 17634 attempted-user 2006-1988 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"<li"; nocase; pcre:"/^[^\x3E]+?value\s*\x3D\s*\d{10}/iR"; metadata:service http; classtype:attempted-user; 17218 WEB-CLIENT Apple Safari LI tag with large VALUE attribute exploit attempt 26816 attempted-user 2007-3903 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; content:"document|2E|createElement"; nocase; content:"|2E|cloneNode()"; distance:0; fast_pattern; nocase; content:"|2E|cloneNode()"; distance:0; nocase; classtype:attempted-user; 17303 WEB-CLIENT Microsoft Internet Explorer clone object memory corruption attempt 15660 attempted-user 2005-4089 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|style"; nocase; content:"@import url|28 22|http|3A 2F 2F|news|2E|google|2E|com|2F|news|3F|hl|3D|en|26|ned|3D|us|26|q|3D 25|7D|25|7B|22 29|"; distance:0; nocase; classtype:attempted-user; 17311 SPECIFIC-THREATS Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt 15660 attempted-user 2005-4089 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|3C|style"; nocase; content:"@import url|28 22|http|3A 2F 2F|search|2E|msn|2E|com|2F|results|2E|aspx|3F|q|3D 25|7D|25|7B|22 29|"; distance:0; nocase; classtype:attempted-user; 17312 SPECIFIC-THREATS Microsoft Internet Explorer CSS import cross-domain restriction bypass attempt 28379 attempted-user 2008-1544 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"XMLHttpRequest"; nocase; content:"setRequestHeader"; distance:0; nocase; pcre:"/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length)[\x22\x27][^\x2c]*[\xA0-\xFF]/smi"; classtype:attempted-user; 17384 WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt 28379 attempted-user 2008-1544 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"XMLHttpRequest"; nocase; content:"setRequestHeader"; distance:0; nocase; pcre:"/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length).*?String.fromCharCode\x28/smi"; byte_test:3,>,160,0,relative,string; classtype:attempted-user; 17385 WEB-CLIENT Microsoft Internet Explorer setRequestHeader overflow attempt misc-attack 2005-2830 tcp $HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; flowbits:isset,http.stat_code_407; content:"|2F|accounts|2F|ServiceLogin|3F|service|3D|mail|26|passive|3D|true|26|rm|3D|false|26|continue|3D|http"; nocase; http_uri; metadata:service http; classtype:misc-attack; 17448 SPECIFIC-THREATS Microsoft Internet Explorer HTTPS proxy information disclosure vulnerability www.microsoft.com/technet/security/Bulletin/MS05-054.mspx 19667 attempted-user 2006-3869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Location|3A|"; nocase; http_header; isdataat:600,relative; pcre:"/Location\x3A\s+[^\r\n]{600}/Hi"; classtype:attempted-user; 17494 WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt 17131 attempted-user 2006-1245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<"; content:"onmouseover"; within:24; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; classtype:attempted-user; 17512 WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt 17131 attempted-user 2006-1245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<"; content:"onclick"; within:20; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; classtype:attempted-user; 17513 WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt 17131 attempted-user 2006-1245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<"; content:"onmouseup"; within:22; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; classtype:attempted-user; 17514 WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt 17131 attempted-user 2006-1245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<"; content:"onload"; within:19; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; classtype:attempted-user; 17515 WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt 17131 attempted-user 2006-1245 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<"; content:"onmousedown"; within:24; nocase; pcre:"/[^>]\w*\s*(on(mouse(over|up|down)|load|click)=([^(\n|\s|>)]|\(|\))*\s*){21}/Rmi"; classtype:attempted-user; 17516 WEB-CLIENT Microsoft Internet Explorer Script Action Handler buffer overflow attempt 32323 attempted-user 2008-5178 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"file|3A 2F 2F|"; fast_pattern:only; nocase; pcre:"/(src|href)\s*=\s*(\x22|\x27|)file\x3a\x2f\x2f[^\s\x22\x27]{900}/smi"; metadata:service http; classtype:attempted-user; 17725 WEB-CLIENT Opera file URI handling buffer overflow 36881 attempted-user 2009-3867 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,java_class_file.request; file_data; content:"|01 00 2C 28|Ljava|2F|net|2F|URL|3B 29|Ljavax|2F|sound|2F|midi|2F|Soundbank"; content:"|01 00 0C|getSoundbank"; content:"file|3A 2F 2F|"; byte_test:2,>,312,-9,relative,big; content:"|01|"; within:1; distance:-10; pcre:"/^.{2}file|3A 2F 2F|[\x21-\x7E]{305}/R"; metadata:service http; classtype:attempted-user; 17776 WEB-CLIENT Sun Java HsbParser.getSoundBank stack buffer overflow attempt trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"function re|28|s,n,r,b,e|29|{if|28|s<b|7C 7C|s>e|29|return s|3B|"; fast_pattern:only; classtype:trojan-activity; 18132 SPECIFIC-THREATS malware-associated JavaScript obfuscation function labs.snort.org/docs/18132.html 22679 attempted-user 2007-1092 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 68 74 6D 6C 3E 3C 62 6F 64 79 20 6F 6E 75 6E 6C 6F 61 64 3D 22|"; content:"|66 6F 72 20 28 69 3D 30 3B 69 3C 32 35 30 3B 69 2B 2B 29|"; distance:0; content:"|64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 27 3C 73 63 72 69 70 74 3E 64 6F 63 75 6D 65 6E 74 2E 77 72 69 74 65 28 22|"; distance:0; classtype:attempted-user; 18170 SPECIFIC-THREATS Mozilla Firefox and SeaMonkey onUnload event handler memory corruption attempt 19197 attempted-user 2006-3113 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|removeEventListener|28|"; within:500; classtype:attempted-user; 18176 SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt 19197 attempted-user 2006-3113 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|73 72 63 3D 22 64 61 74 61 3A 74 65 78 74 2F 68 74 6D 6C 3B 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C 25 33 43 68 74 6D 6C 25 33 45 25 30 44 25 30 41|"; content:"|25|3Cscript|25|3E"; within:300; content:"window|2E|addEventListener|28|"; within:500; classtype:attempted-user; 18177 SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt 19197 attempted-user 2006-3113 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; content:"|63 6C 61 73 73 3D 22 6D 65 6E 75 22 3E 3C 61 20 68 72 65 66 3D 22 22 20 74 61 72 67 65 74 3D 22 5F 74 6F 70 22 3E 51 51 51 51 51 51 51 51 51 51 3C 2F 61 3E|"; distance:0; classtype:attempted-user; 18178 SPECIFIC-THREATS Mozilla browsers memory corruption simultaneous XPCOM events code execution attempt 18682 attempted-user 2006-3280 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|6F 6E 6C 6F 61 64 3D 22 73 65 74 54 69 6D 65 6F 75 74 28 27 61 6C 65 72 74 28 6F 2E 6F 62 6A 65 63 74 2E 64 6F 63 75 6D 65 6E 74 45 6C 65 6D 65 6E 74 2E 6F 75 74 65 72 48 54 4D 4C 29 27 2C 31 30 30 30 29|"; metadata:service http; classtype:attempted-user; 18193 SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt 18682 attempted-user 2006-3280 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|72 65 74 72 20 3D 20 6F 2E 6F 62 6A 65 63 74 2E 64 6F 63 75 6D 65 6E 74 45 6C 65 6D 65 6E 74 2E 69 6E 6E 65 72 48 54 4D 4C|"; content:"|73 65 74 54 69 6D 65 6F 75 74 28 27 72 65 74 72 69 65 76 65 28 29 27 2C 31 29|"; distance:0; metadata:service http; classtype:attempted-user; 18194 SPECIFIC-THREATS Microsoft Internet Explorer cross domain information disclosure attempt attempted-user 2010-3962 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18221; 18221 WEB-CLIENT Internet Explorer malformed table remote code execution attempt www.microsoft.com/technet/security/Bulletin/MS10-090.mspx 5346 attempted-user 2002-0815 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document.domain|28|"; nocase; classtype:attempted-user; 1840 WEB-CLIENT Javascript document.domain attempt 5293 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"javascript|3A|//"; nocase; metadata:service http; classtype:attempted-user; 1841 WEB-CLIENT Javascript URL host spoofing attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/oprocmgr-status"; http_uri; metadata:service http; classtype:web-application-activity; 1874 WEB-MISC Oracle Java Process Manager access 10851 12881 attempted-user 2005-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"image/"; http_header; pcre:"/^Content-Type\s*\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smiH"; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; classtype:attempted-user; 3534 WEB-CLIENT Mozilla GIF single packet heap overflow - NETSCAPE2.0 17605 12881 attempted-user 2005-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|NETSCAPE2.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; classtype:attempted-user; 3536 WEB-CLIENT Mozilla GIF multipacket heap overflow - NETSCAPE2.0 17605 30560 attempted-user 2008-2939 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"IFRAME"; nocase; pcre:"/\x3c\s*IFRAME\s*[^\x3e]*src=\x22javascript\x3a/smi"; classtype:attempted-user; 3679 WEB-CLIENT Web-client IFRAME src javascript code execution 18243 13941 attempted-user 2005-1211 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; classtype:attempted-user; 3689 WEB-CLIENT Internet Explorer tRNS overflow attempt 18490 www.microsoft.com/technet/security/bulletin/MS05-025.mspx 13799 attempted-user 2005-1790 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"document.write"; nocase; pcre:"/document\.write\(([^\x22\x27\x29\x3B]*([\x22\x27]))((?(?=\2)\2(?1)))\x3C(?3)b(?3)o(?3)d(?3)y(?3)\s*(?3)o(?3)n(?3)l(?3)o(?3)a(?3)d(?3)\s*(?3)=(?3)\s*(?3)w(?3)i(?3)n(?3)d(?3)o(?3)w(?3)\x28(?3)\x29/smi"; classtype:attempted-user; 4916 WEB-CLIENT internet explorer javascript onload document.write obfuscation overflow attempt www.microsoft.com/technet/security/bulletin/MS05-054.mspx 12881 attempted-user 2005-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"image/"; pcre:"/^Content-Type\s*\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smi"; content:"GIF"; distance:0; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; classtype:attempted-user; 6502 WEB-CLIENT Mozilla GIF single packet heap overflow - ANIMEXTS1.0 17605 12881 attempted-user 2005-0399 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; content:"!|FF 0B|ANIMEXTS1.0"; distance:0; nocase; content:"|02|"; within:1; distance:1; byte_test:4,>,0x7f,3,relative; classtype:attempted-user; 6503 WEB-CLIENT Mozilla GIF multipacket heap overflow - ANIMEXTS1.0 17605 4858 web-application-attack 2002-0902 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"img src=javascript"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 7071 WEB-MISC encoded cross site scripting HTML Image tag set to javascript attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"233A9694-667E-11d1-9DFB-006097D50408"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*233A9694-667E-11d1-9DFB-006097D50408\s*}?\s*(?P=q1)(\s|>)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11236 WEB-ACTIVEX OutlookExpress.AddressBook ActiveX clsid access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|3|00|3|00|A|00|9|00|6|00|9|00|4|00|-|00|6|00|6|00|7|00|E|00|-|00|1|00|1|00|d|00|1|00|-|00|9|00|D|00|F|00|B|00|-|00|0|00|0|00|6|00|0|00|9|00|7|00|D|00|5|00|0|00|4|00|0|00|8|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; metadata:policy security-ips drop; classtype:attempted-user; 11237 WEB-ACTIVEX OutlookExpress.AddressBook ActiveX clsid unicode access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"O|00|u|00|t|00|l|00|o|00|o|00|k|00|E|00|x|00|p|00|r|00|e|00|s|00|s|00|.|00|A|00|d|00|d|00|r|00|e|00|s|00|s|00|B|00|o|00|o|00|k|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)O\x00u\x00t\x00l\x00o\x00o\x00k\x00E\x00x\x00p\x00r\x00e\x00s\x00s\x00.\x00A\x00d\x00d\x00r\x00e\x00s\x00s\x00B\x00o\x00o\x00k\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)O\x00u\x00t\x00l\x00o\x00o\x00k\x00E\x00x\x00p\x00r\x00e\x00s\x00s\x00.\x00A\x00d\x00d\x00r\x00e\x00s\x00s\x00B\x00o\x00o\x00k\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips drop; classtype:attempted-user; 11238 WEB-ACTIVEX OutlookExpress.AddressBook ActiveX function call unicode access attempted-user 2010-3213 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST"; http_method; content:"/owa/ev.owa"; http_uri; content:"ns=Rule"; http_uri; content:"ev=Save"; http_uri; content:"&#60params&#62&#60Id&#62&#60/Id&#62&#60Name&#62Test&#60/Name&#62&#60RecpA4&#62&#60item&#62&#60Rcp"; http_client_body; content:"AO=|22|3|22|&#62&#60/Rcp&#62&#60/item&#62&#60/RecpA4&#62&#60Actions&#62&#60item&#62&#60rca"; http_client_body; content:" t=|22|4|22|&#62&#60/rca&#62&#60/item&#62&#60/Actions&#62&#60/params&#62"; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17296 WEB-MISC Outlook Web Access XSRF attempt www.microsoft.com/technet/security/advisory/2401593.mspx 3026 attempted-user 2001-0538 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OVCtl.OVCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22OVCtl.OVCtl.1\x22|\x27OVCtl.OVCtl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OVCtl.OVCtl.1\x22|\x27OVCtl.OVCtl.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 4150 WEB-ACTIVEX Outlook View OVCtl ActiveX function call access www.microsoft.com/technet/security/bulletin/MS01-038.mspx attempted-user 2005-2831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"0006F071-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F071-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 4900 WEB-ACTIVEX Outlook Progress Ctl ActiveX Object Access www.microsoft.com/technet/security/bulletin/MS05-054.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"OutlookExpress.AddressBook"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22OutlookExpress\.AddressBook\x22|\x27OutlookExpress\.AddressBook\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22OutlookExpress\.AddressBook\x22|\x27OutlookExpress\.AddressBook\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 7005 WEB-ACTIVEX OutlookExpress.AddressBook ActiveX function call access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0006F03A-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F03A-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 8371 WEB-ACTIVEX Outlook.Application ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|A|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x00A\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8372 WEB-ACTIVEX Outlook.Application ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm 3026 attempted-user 2001-0538 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0006F063-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0006F063-0000-0000-C000-000000000046\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 8422 WEB-ACTIVEX Outlook View OVCtl ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS01-038.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0006F033-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0006F033-0000-0000-C000-000000000046/si"; metadata:policy security-ips drop; classtype:attempted-user; 8721 WEB-ACTIVEX Outlook Data Object ActiveX CLSID access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|3|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x003\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8722 WEB-ACTIVEX Outlook Data Object ActiveX CLSID unicode access metasploit.com/projects/Framework/modules/exploits/ie_createobject.pm 21649 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0006F023-0000-0000-C000-000000000046"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0006F023-0000-0000-C000-000000000046\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 9668 WEB-ACTIVEX Outlook Recipient Control ActiveX clsid access 21649 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|2|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x002\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9669 WEB-ACTIVEX Outlook Recipient Control ActiveX clsid unicode access 21649 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"RECIP.RecipCtl.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22RECIP.RecipCtl.1\x22|\x27RECIP.RecipCtl.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22RECIP.RecipCtl.1\x22|\x27RECIP.RecipCtl.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9670 WEB-ACTIVEX Outlook Recipient Control ActiveX function call access 3026 attempted-user 2001-0538 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|0|00|0|00|6|00|F|00|0|00|6|00|3|00|-|00|0|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|-|00|C|00|0|00|0|00|0|00|-|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|0|00|4|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x000\x000\x006\x00F\x000\x006\x003\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x000\x000\x000\x000\x000\x000\x004\x006\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9819 WEB-ACTIVEX Outlook View OVCtl ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS01-038.mspx attempted-user 2007-0034 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.xls; content:"S|00|a|00|v|00|e|00|d|00|S|00|e|00|a|00|r|00|c|00|h|00|"; metadata:policy security-ips drop; classtype:attempted-user; 9847 WEB-CLIENT Outlook Saved Search download attempt www.microsoft.com/technet/security/Bulletin/MS07-003.mspx 330 Client / Email misc-attack 2008-0110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|13573; 13573 WEB-CLIENT Microsoft Outlook arbitrary command line attempt www.microsoft.com/technet/security/bulletin/MS08-015.mspx 13952 attempted-user 2005-0563 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"javascript|3A|alert|28|'Attacker supplied script"; metadata:service smtp; classtype:attempted-user; 15947 SPECIFIC-THREATS Microsoft Outlook Web Access Cross-Site Scripting attempt attempted-user 2007-3897 tcp $EXTERNAL_NET 119 -> $HOME_NET any flow:to_client,established; content:"1094795585 |0D 0A|1094795585 |0D 0A|"; classtype:attempted-user; 16428 EXPLOIT Microsoft Outlook Express and Windows Mail NNTP handling buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-056.mspx 26586 attempted-user 2008-3066 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import))\s*\(/Osi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 10192 WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX clsid access 26586 attempted-user 2008-3066 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|D|00|C|00|7|00|A|00|5|00|3|00|5|00|-|00|4|00|0|00|7|00|0|00|-|00|4|00|B|00|9|00|2|00|-|00|A|00|0|00|E|00|A|00|-|00|D|00|9|00|9|00|9|00|4|00|B|00|C|00|C|00|0|00|D|00|C|00|5|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/Osi"; metadata:policy security-ips drop; classtype:attempted-user; 10193 WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX clsid unicode access 26586 attempted-user 2008-3066 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"IERPCtl.IERPCtl"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22IERPCtl\.IERPCtl\x22|\x27IERPCtl\.IERPCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import)\s*|.*(?P=v)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IERPCtl\.IERPCtl\x22|\x27IERPCtl\.IERPCtl\x27)\s*\)(\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import)\s*|.*(?P=n)\s*\.\s*(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|PlayerProperty|Import)\s*)\s*\(/Osmi"; metadata:policy security-ips drop; classtype:attempted-user; 10194 WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX function call access 23652 attempted-user 2007-2296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"|00 00 00 01|ftyp"; metadata:policy security-ips drop; classtype:attempted-user; 11180 WEB-CLIENT quicktime movie ftyp buffer underflow 23698 attempted-user 2007-2365 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"PLTE"; byte_test:4,>,768,-8,relative,big; metadata:policy security-ips drop; classtype:attempted-user; 11267 WEB-CLIENT Adobe Photoshop PNG file handling stack buffer overflow attempt 24856 attempted-admin 2007-3456 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,flv.xfer; content:"|12|"; content:"|02|"; within:1; distance:10; byte_jump:2,0,relative,big; content:"|0C|"; within:1; byte_test:4, >, 2147483647, 0, relative, big; metadata:policy security-ips drop; classtype:attempted-admin; 12183 EXPLOIT Adobe FLV long string script data buffer overflow 24658 attempted-user 2007-3410 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"smil "; nocase; content:"wallclock|28|"; distance:0; nocase; pcre:"/wallclock\x28((\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11}|\d{4}-\d{2}-\d{2}T(\d{2}\x3A){2}\d{2}\.[^\x2b\x2d\x5a]{11})/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 12219 WEB-CLIENT SMIL RealPlayer wallclock parsing buffer overflow labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 26549 attempted-user 2007-6166 udp $EXTERNAL_NET 554 -> $HOME_NET any flow:to_client; content:"RTSP"; depth:4; fast_pattern; content:"Content-Type"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/Content-Type\s*\x3A[^\n\x3A]{256}/smi"; metadata:policy security-ips drop, service rtsp; classtype:attempted-user; 12742 EXPLOIT Apple Quicktime UDP RTSP sdp type buffer overflow attempt 26341 attempted-user 2007-3750 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.quicktime; content:"stsd"; byte_test:4,>,0,4,relative,big; byte_test:4,<,12,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 12746 EXPLOIT Apple QuickTime STSD atom overflow attempt 26344 attempted-user 2007-4672 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 12757 WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m7>\x22|\x27|)(?P<id1>.+?)(?P=m7)(\s|>)[^>]*\s*classid\s*=\s*(?P<q18>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q18)(\s|>).*(?P=id1)\s*\.\s*(ParseWallClock|GetSourceTransport)|<object\s*[^>]*\s*classid\s*=\s*(?P<q19>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q19)(\s|>)[^>]*\s*id\s*=\s*(?P<m8>\x22|\x27|)(?P<id2>.+?)(?P=m8)(\s|>).*(?P=id2)\.(ParseWallClock|GetSourceTransport))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12766 WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX clsid access labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|A|00|0|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q20>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x00C\x00D\x00A\x00A\x000\x003\x00-\x008\x00B\x00E\x004\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x004\x00B\x00-\x000\x000\x002\x000\x00A\x00F\x00B\x00B\x00C\x00C\x00F\x00A\x00(}\x00)?(?P=q20)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12767 WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX clsid unicode access labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer G2 Control"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(ParseWallClock|GetSourceTransport)\s*|.*(?P=v)\s*\.\s*(ParseWallClock|GetSourceTransport)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\)(\s*\.\s*(ParseWallClock|GetSourceTransport)\s*|.*(?P=n)\s*\.\s*(ParseWallClock|GetSourceTransport)\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12768 WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX function call access labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|G|00|2|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q21>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q21)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q22>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q22)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 12769 WEB-ACTIVEX RealPlayer RMOC3260.DLL ActiveX function call unicode access labs.idefense.com/intelligence/vulnerabilities/display.php?id=547 26586 attempted-user 2007-5601 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"VulObject = |22|IER|22| + |22|PCtl.I|22| + |22|ERP|22| + |22|Ctl.1|22 3B|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 12775 SPECIFIC-THREATS obfuscated RealPlayer Ierpplug.dll ActiveX exploit attempt attempted-user 2007-6244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ShockwaveFlash.ShockwaveFlash"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ShockwaveFlash\.ShockwaveFlash\x22|\x27ShockwaveFlash\.ShockwaveFlash\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*navigateToURL\s*|.*?(?P=v)\s*\.\s*navigateToURL\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ShockwaveFlash\.ShockwaveFlash\x22|\x27ShockwaveFlash\.ShockwaveFlash\x27)\s*\)(\s*\.\s*navigateToURL\s*|.*?(?P=n)\s*\.\s*navigateToURL\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13216 WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX function call access www.adobe.com/support/security/bulletins/apsb07-20.html attempted-user 2007-6244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|.|00|S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13217 WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX function call unicode access www.adobe.com/support/security/bulletins/apsb07-20.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|.|00|S|00|h|00|o|00|c|00|k|00|w|00|a|00|v|00|e|00|F|00|l|00|a|00|s|00|h|00|.|00|9|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q1>\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x009\x00(?P=q1)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q2>\x22|\x27|)S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x00S\x00h\x00o\x00c\x00k\x00w\x00a\x00v\x00e\x00F\x00l\x00a\x00s\x00h\x00.\x009\x00(?P=q2)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13218 WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash.9 ActiveX function call unicode access www.securityfocus.com/archive/1/443383/30/150/threaded 26342 attempted-user 2007-4675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"video/quicktime"; nocase; content:"pdat"; byte_test:2,=,0,6,relative; byte_test:4,>,104,-8,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13293 WEB-CLIENT QuickTime panorama atoms buffer overflow attempt docs.info.apple.com/article.html?artnum=306896 26951 attempted-admin 2007-6242 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 3, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 13300 WEB-CLIENT Adobe Flash Player embedded JPG image height overflow attempt 26951 attempted-admin 2007-6242 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"FWS"; content:"|FF D8|"; distance:0; content:"JFIF"; distance:0; content:"|FF C0|"; distance:0; byte_test:2, >, 32767, 5, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 13301 WEB-CLIENT Adobe Flash Player embedded JPG image width overflow attempt 27641 attempted-user 2008-0655 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|F7 C5|d|F2 F8 F9|e|B7 EF 8B E9 AF BF F2|@|F1 FB FB A2 9C D9 B3 FB F7 05 CE|>|1E FB F3 E5|x|28|>=~-|B6|Y|DA E9 BC|9|9E A7|&|E6 F4|l2|8A CB|"; metadata:policy security-ips drop; classtype:attempted-user; 13477 SPECIFIC-THREATS Adobe PDF collab.collectEmailInfo exploit attempt - compressed 27641 attempted-user 2008-0655 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"collab.collectEmailInfo"; nocase; metadata:policy security-ips drop; classtype:attempted-user; 13478 SPECIFIC-THREATS Adobe PDF collab.collectEmailInfo exploit attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| QuickTime"; http_header; flowbits:set,quicktime_agent; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 13515 WEB-CLIENT Quicktime user agent 27225 attempted-user 2008-0234 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset, quicktime_agent; content:"HTTP/1.1 404"; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13516 WEB-CLIENT Quicktime HTTP error response buffer overflow attempted-user 2008-0065 tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any flow:established,to_client; content:"misc/ultravox"; content:"<artist>"; distance:0; nocase; isdataat:266,relative; content:!"</artist>"; within:256; pcre:"/Content-Type\x3A\s*misc/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13520 EXPLOIT Winamp Ultravox streaming malicious metadata attempted-user 2008-0065 tcp $EXTERNAL_NET [80,8090] -> $HOME_NET any flow:established,to_client; content:"misc/ultravox"; content:"<name>"; distance:0; nocase; isdataat:266,relative; content:!"</name>"; within:256; pcre:"/Content-Type\x3A\s*misc/ultravox.+?(\r?\n){2}\x5A.9\x01/is"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13521 EXPLOIT Winamp Ultravox streaming malicious metadata 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer Download Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x22|\x27rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x22|\x27rmocx\.RealPlayer\s*Download\s*Handler(\.\d)?\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13603 WEB-ACTIVEX RealPlayer Download Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13604 WEB-ACTIVEX RealPlayer Download Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer RAM Download Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RAM\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13605 WEB-ACTIVEX RealPlayer RAM Download Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|R|00|A|00|M|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q16>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00A\x00M\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q16)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q17>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00A\x00M\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q17)(\s|>)(\s\x00)*\)\x00/Osmi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13606 WEB-ACTIVEX RealPlayer RAM Download Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Console)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Console))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13607 WEB-ACTIVEX RealPlayer RMOC3260.DLL Vulnerble Property ActiveX clsid access 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|A|00|0|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13608 WEB-ACTIVEX RealPlayer RMOC3260.DLL Vulnerble Property ActiveX clsid unicode access 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer G2 Control"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*Console\s*|.*(?P=v)\s*\.\s*Console\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*G2\s*Control\x22|\x27rmocx\.RealPlayer\s*G2\s*Control\x27)\s*\)(\s*\.\s*Console\s*|.*(?P=n)\s*\.\s*Console)\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13609 WEB-ACTIVEX RealPlayer RMOC3260.DLL Vulnerble Property ActiveX function call access 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|G|00|2|00| |00|C|00|o|00|n|00|t|00|r|00|o|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*G\x002\x00(\s\x00)*C\x00o\x00n\x00t\x00r\x00o\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 13610 WEB-ACTIVEX RealPlayer RMOC3260.DLL Vulnerble Property ActiveX function call unicode access 29386 attempted-user 2007-0071 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|A8 15|"; content:"|BF 15 0C 00 00 00|"; within:6; distance:45; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"?|13 19 00 00 00|"; within:6; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13820 WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt www.adobe.com/support/security/bulletins/apsb08-11.html 29386 attempted-user 2007-0071 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|BF 15 84 03 00 00|"; content:"|BF 14|D|02 00 00|"; within:6; distance:900; content:"?|13 1F 00 00 00|"; within:6; distance:640; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13821 WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt www.adobe.com/support/security/bulletins/apsb08-11.html 29386 attempted-user 2007-0071 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|A8 15|"; content:"|8C 15|"; within:2; distance:40; content:"|BF 14 7F 01 00 00|"; within:6; distance:12; content:"|19 13|"; within:2; distance:383; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13822 WEB-CLIENT Adobe Flash player SWF scene and label data memory corruption attempt www.adobe.com/support/security/bulletins/apsb08-11.html 28583 attempted-user 2008-1017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.quicktime; metadata: engine shared, soid 3|13897, service http, policy balanced-ips drop, policy security-ips drop; 13897 EXPLOIT Apple Quicktime crgn atom parsing buffer overflow attempt 15306 attempted-user 2005-2753 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"hdlr"; byte_test:1,>=,251,24,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13917 WEB-CLIENT Apple QuickTime MOV file string handling integer overflow attempt 15306 attempted-user 2005-2753 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"tmci"; byte_test:1,>=,251,24,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13918 WEB-CLIENT Apple QuickTime MOV file string handling integer overflow attempt 28583 attempted-user 2008-1022 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"obji"; nocase; byte_test:4,<,20,-8,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13920 WEB-CLIENT Apple Quicktime Obji Atom parsing stack buffer overflow attempt 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q6>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CFCDA953-8BE4-11CF-B84B-0020AFBBCCFA\s*}?\s*(?P=q6)(\s|>)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14042 WEB-ACTIVEX RealPlayer General Property Page ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|9|00|5|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q7>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x00C\x00D\x00A\x009\x005\x003\x00-\x008\x00B\x00E\x004\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x004\x00B\x00-\x000\x000\x002\x000\x00A\x00F\x00B\x00B\x00C\x00C\x00F\x00A\x00(}\x00)?(?P=q7)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14043 WEB-ACTIVEX RealPlayer General Property Page ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer Playback Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*Playback\s*Handler\x22|\x27rmocx\.RealPlayer\s*Playback\s*Handler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*Playback\s*Handler\x22|\x27rmocx\.RealPlayer\s*Playback\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14044 WEB-ACTIVEX RealPlayer Playback Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|P|00|l|00|a|00|y|00|b|00|a|00|c|00|k|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q11>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*P\x00l\x00a\x00y\x00b\x00a\x00c\x00k\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q11)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q12>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*P\x00l\x00a\x00y\x00b\x00a\x00c\x00k\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q12)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14045 WEB-ACTIVEX RealPlayer Playback Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer RMP Download Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RMP\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14046 WEB-ACTIVEX RealPlayer RMP Download Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|R|00|M|00|P|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q26>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00M\x00P\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q26)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q27>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00M\x00P\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q27)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14047 WEB-ACTIVEX RealPlayer RMP Download Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer RNX Download Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*RNX\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14048 WEB-ACTIVEX RealPlayer RNX Download Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|R|00|N|00|X|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q31>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00N\x00X\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q31)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q32>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*R\x00N\x00X\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q32)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14049 WEB-ACTIVEX RealPlayer RNX Download Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer SMIL Download Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x22|\x27rmocx\.RealPlayer\s*SMIL\s*Download\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14050 WEB-ACTIVEX RealPlayer SMIL Download Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|S|00|M|00|I|00|L|00| |00|D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q36>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00M\x00I\x00L\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q36)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q37>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00M\x00I\x00L\x00(\s\x00)*D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q37)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14051 WEB-ACTIVEX RealPlayer SMIL Download Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"rmocx.RealPlayer Stream Handler"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22rmocx\.RealPlayer\s*Stream\s*Handler\x22|\x27rmocx\.RealPlayer\s*Stream\s*Handler\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=v)\s*\.\s*(Console|Controls)\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22rmocx\.RealPlayer\s*Stream\s*Handler\x22|\x27rmocx\.RealPlayer\s*Stream\s*Handler\x27)\s*\)(\s*\.\s*(Console|Controls)\s*|.*(?P=n)\s*\.\s*(Console|Controls))\s*=/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14052 WEB-ACTIVEX RealPlayer Stream Handler ActiveX function call access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"r|00|m|00|o|00|c|00|x|00|.|00|R|00|e|00|a|00|l|00|P|00|l|00|a|00|y|00|e|00|r|00| |00|S|00|t|00|r|00|e|00|a|00|m|00| |00|H|00|a|00|n|00|d|00|l|00|e|00|r|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q41>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00t\x00r\x00e\x00a\x00m\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q41)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q42>\x22|\x27|)r\x00m\x00o\x00c\x00x\x00.\x00R\x00e\x00a\x00l\x00P\x00l\x00a\x00y\x00e\x00r\x00(\s\x00)*S\x00t\x00r\x00e\x00a\x00m\x00(\s\x00)*H\x00a\x00n\x00d\x00l\x00e\x00r\x00(?P=q42)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14053 WEB-ACTIVEX RealPlayer Stream Handler ActiveX function call unicode access www.kb.cert.org/vuls/id/831457 30814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2646205B-878C-11D1-B07C-0000C040BCDB\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(CallHTMLHelp)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2646205B-878C-11D1-B07C-0000C040BCDB\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(CallHTMLHelp))\s*\(/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14235 WEB-ACTIVEX Microsoft Windows Media Services ActiveX clsid access 30814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|6|00|4|00|6|00|2|00|0|00|5|00|B|00|-|00|8|00|7|00|8|00|C|00|-|00|1|00|1|00|D|00|1|00|-|00|B|00|0|00|7|00|C|00|-|00|0|00|0|00|0|00|0|00|C|00|0|00|4|00|0|00|B|00|C|00|D|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x006\x004\x006\x002\x000\x005\x00B\x00-\x008\x007\x008\x00C\x00-\x001\x001\x00D\x001\x00-\x00B\x000\x007\x00C\x00-\x000\x000\x000\x000\x00C\x000\x004\x000\x00B\x00C\x00D\x00B\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14236 WEB-ACTIVEX Microsoft Windows Media Services ActiveX clsid unicode access 30814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"NSIEMisc.NSIEMisc"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22NSIEMisc\.NSIEMisc\x22|\x27NSIEMisc\.NSIEMisc\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*CallHTMLHelp\s*|.*(?P=v)\s*\.\s*CallHTMLHelp\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22NSIEMisc\.NSIEMisc\x22|\x27NSIEMisc\.NSIEMisc\x27)\s*\)(\s*\.\s*CallHTMLHelp\s*|.*(?P=n)\s*\.\s*CallHTMLHelp\s*)\s*\(/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14237 WEB-ACTIVEX Microsoft Windows Media Services ActiveX function call access 30814 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"N|00|S|00|I|00|E|00|M|00|i|00|s|00|c|00|.|00|N|00|S|00|I|00|E|00|M|00|i|00|s|00|c|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00.\x00N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00.\x00N\x00S\x00I\x00E\x00M\x00i\x00s\x00c\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/smi"; metadata:policy security-ips alert, service http; classtype:attempted-user; 14238 WEB-ACTIVEX Microsoft Windows Media Services ActiveX function call unicode access attempted-user 2008-3008 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14255, service http, policy balanced-ips drop, policy security-ips drop; 14255 WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid access www.microsoft.com/technet/security/bulletin/MS08-053.mspx attempted-user 2008-3008 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14257, service http, policy balanced-ips drop, policy security-ips drop; 14257 WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call access www.microsoft.com/technet/security/bulletin/MS08-053.mspx 32105 attempted-user 2008-4817 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7"; fast_pattern:only; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7\s*}?\s*(?P=q1)(\s|>)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15007 WEB-ACTIVEX NOS Microsystems / Adobe getPlus Download Manager ActiveX clsid access 32105 attempted-user 2008-4817 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|F|00|4|00|0|00|A|00|C|00|C|00|5|00|-|00|E|00|1|00|B|00|B|00|-|00|4|00|a|00|f|00|f|00|-|00|A|00|C|00|7|00|2|00|-|00|0|00|4|00|C|00|2|00|F|00|6|00|1|00|6|00|B|00|C|00|A|00|7|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q2>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*C\x00F\x004\x000\x00A\x00C\x00C\x005\x00-\x00E\x001\x00B\x00B\x00-\x004\x00a\x00f\x00f\x00-\x00A\x00C\x007\x002\x00-\x000\x004\x00C\x002\x00F\x006\x001\x006\x00B\x00C\x00A\x007\x00(}\x00)?(?P=q2)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips alert, service http; classtype:attempted-user; 15008 WEB-ACTIVEX NOS Microsystems / Adobe getPlus Download Manager ActiveX clsid unicode access misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".pdf"; nocase; http_uri; flowbits:set,http.pdf; flowbits:noalert; metadata:service http; classtype:misc-activity; 15013 WEB-MISC Adobe Portable Document Format file download attempt attempted-user 2008-2992 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript/JS"; nocase; content:"util.printf"; pcre:"/\x28\s*\x22\s*\x25([2-9][6-9][5-9]|[1-9][0-9]{3,})f/mi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 15014 WEB-CLIENT Adobe Reader and Acrobat util.printf buffer overflow attempt 33751 attempted-user 2009-0658 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/smi"; byte_test:1, &, 64, 4, relative; byte_test:1, <, 160, 5, relative; byte_test:4, >, 35256, 6, relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15357 WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt 34938 attempted-user 2009-0010 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|00 11 02 FF 0C 00|"; pcre:"/\x00[\x70-\x74]\x00[\x00-\x09]/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15384 WEB-CLIENT Apple QuickTime pict image poly structure memory corruption attempt 35052 attempted-user 2009-1831 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,maki_file.request; metadata: engine shared, soid 3|15433, service http, policy balanced-ips drop, policy security-ips drop; 15433 WEB-CLIENT Winamp MAKI parsing integer overflow attempt 16410 attempted-user 2006-0476 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"[playlist]"; nocase; content:"File"; distance:0; nocase; content:"="; within:5; distance:1; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy security-ips drop, service http; classtype:attempted-user; 15472 WEB-CLIENT Nullsoft Winamp pls file player name handling buffer overflow attempt 33880 attempted-user 2009-0520 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|43 57 53 06 40 F3 14 00 78 DA 44 7C 05 58 54 DB F7 F6 1A 66 80 A1 87 54 86 EE EE A1 86 9A A1 41 10 10 A4 2C 44 3A 2C 10 0B 61 08 15 41 10 15 95 52 4A 01 11 15 05 F4 9A A0 A2 5E 95 10 30 08 03|"; within:64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15478 SPECIFIC-THREATS Adobe Flash Player invalid object reference code execution attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".swf"; nocase; http_uri; flowbits:set,http.swf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15483 WEB-MISC Adobe Shockwave Flash file request 34740 attempted-user 2009-1493 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.pdf; content:"spell.customDictionaryOpen"; nocase; pcre:"/spell\.customDictionaryOpen\x5C\((\s*\d|[^\x2C]+\x2C\s*[A-Z\d_])/smi"; metadata:policy security-ips drop; classtype:attempted-user; 15492 SPECIFIC-THREATS Adobe PDF spell.customDictionaryOpen exploit attempt 34736 attempted-user 2009-1492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.pdf; content:"getAnnots"; nocase; pcre:"/getAnnots\x5C?\([^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*[^\x29\x2C]+\x2C\s*-\d/smi"; metadata:policy security-ips drop; classtype:attempted-user; 15493 SPECIFIC-THREATS Adobe PDF getAnnots exploit attempt 35139 attempted-user 2009-1537 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15517, service http, policy balanced-ips alert, policy security-ips alert; 15517 WEB-CLIENT AVI DirectShow quicktime parsing overflow attempt www.microsoft.com/technet/security/bulletin/MS09-028.mspx 35167 attempted-user 2009-0954 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"crgn"; byte_jump:2,-6,relative,big; content:!"|7F FF 7F FF|"; within:4; distance:-8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15559 WEB-CLIENT Apple QuickTime Movie File Clipping Region handling heap buffer overflow attempt support.apple.com/kb/HT3591 attempted-user 2009-1859 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"jP "; content:"|FF|O|FF|Q"; distance:0; byte_jump:2,36,relative,multiplier 3,big; content:"|FF|R"; within:2; byte_test:1,>,16,7,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15562 WEB-CLIENT Adobe Reader JPX malformed code-block width attempt attempted-user 2009-1539 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15680, service http, policy balanced-ips drop, policy security-ips drop; 15680 EXPLOIT Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt www.microsoft.com/technet/security/bulletin/MS09-028.mspx attempted-user 2009-1538 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15682, service http, policy balanced-ips drop, policy security-ips drop; 15682 WEB-CLIENT Microsoft DirectShow QuickTime file stsc atom parsing heap corruption attempt www.microsoft.com/technet/security/bulletin/MS09-028.mspx 35157 attempted-user 2009-0950 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"itms|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itms\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15703 WEB-CLIENT Apple iTunes ITMS protocol handler stack buffer overflow attempt 35157 attempted-user 2009-0950 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"itmss|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itmss\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15704 WEB-CLIENT Apple iTunes ITMSS protocol handler stack buffer overflow attempt 35157 attempted-user 2009-0950 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"pcast|3A|//"; nocase; pcre:"/(\x22|\x27)pcast\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15705 WEB-CLIENT Apple iTunes PCAST protocol handler stack buffer overflow attempt 35157 attempted-user 2009-0950 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"daap|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)daap\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15706 WEB-CLIENT Apple iTunes DAAP protocol handler stack buffer overflow attempt 35157 attempted-user 2009-0950 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"itpc|3A|//"; nocase; isdataat:256,relative; pcre:"/(\x22|\x27)itpc\x3a\x2f\x2f[^\x22\x27]*\x3a[^\x22\x27\x2f]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15707 WEB-CLIENT Apple iTunes ITPC protocol handler stack buffer overflow attempt 36600 attempted-user 2009-3459 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"/DecodeParms"; content:"/Predictor"; distance:0; byte_test:8,>,1,0,relative,string,dec; pcre:"/\x2fDecodeParms\s*\x3c{2}\s*(?=[^\x3e]*\/Predictor\s+0*(1\d{1}|[2-9]))([^\x3e]*\x2fBitsPerComponent\s+\d{3}|[^\x3e]*\x2fColumns\s+(\d{5}|[6-9]\d{3})|[^\x3e]*\x2fColors\s+(\d{5}|[6-9]\d{3}))/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15709 WEB-CLIENT Adobe Acrobat and Adobe Reader FlateDecode integer overflow attempt 35759 attempted-user 2009-1862 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15728 EXPLOIT Possible Adobe PDF ActionScript byte_array heap spray attempt blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html 35759 attempted-user 2009-1862 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.swf; content:"ByteArray"; nocase; content:"|04 0C 0C 0C 0C|"; within:100; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15729 EXPLOIT Possible Adobe Flash ActionScript byte_array heap spray attempt blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html 32100 attempted-user 2008-4813 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"obj<<"; content:"/BaseFont"; distance:0; content:"endobj"; distance:0; pcre:"/obj\x3c\x3c.*?\x2fBaseFont\x2f[^\x80-\xff\x2f]*[\x80-\xff].*?endobj/s"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15867 WEB-CLIENT Adobe Acrobat PDF font processing memory corruption attempt vallejo.cc/proyectos/adobereader812.html 32896 attempted-user 2008-5499 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00|airappinstaller|00|ASnative|00|"; pcre:"/\x00[\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00/smi"; content:"|99 08|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15869 WEB-CLIENT Adobe Flash Player ASnative command execution attempet 33384 attempted-user 2009-0002 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"trak"; content:"tkhd"; within:4; distance:4; fast_pattern; pcre:"/trak.{4}tkhd.{40}(?!\x00\x01\x00\x00.{12}\x00\x01\x00\x00)/s"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15909 WEB-CLIENT Apple QuickTime VR Track Header Atom heap corruption attempt support.apple.com/kb/HT3403 26214 attempted-user 2007-2264 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:".ra|FD 00 04 00 00|.ra4|00 00 00 89 00 04 0F FF FF FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15940 SPECIFIC-THREATS RealNetworks RealPlayer Multiple Products RA file processing overflow attempt 35907 attempted-user 2009-1869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.swf; content:"|01 01 02 09 03 80 80 80 80 01 01 02 01 01 04 01 00 03 00 01 01 09|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15993 SPECIFIC-THREATS Adobe Flash Player ActionScript intrf_count integer overflow attempt 18507 attempted-user 2006-3228 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"MThd|00 00 00 06 00 00 00 01 00|`MTrk"; byte_test:4,>,2147483648,8,relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 16027 WEB-CLIENT winamp midi file header overflow attempt 19976 attempted-user 2006-4384 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|FA F1 02 00 00 00 00 00 00 00 00 00 0A 03 00 00 0B 00 01 00 FF|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16041 SPECIFIC-THREATS Apple QuickTime FLIC animation file buffer overflow attempt 26214 attempted-user 2007-5081 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"DATA|00 00|A'|00 00 00 00 00|'|00 00 00 00 00 00 01|<|FF FF|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16046 SPECIFIC-THREATS RealNetworks RealPlayer RealMedia file format processing heap corruption attempt 17953 attempted-user 2006-2238 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.bmp; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,65535,4,relative,little; byte_test:4,>,3,12,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 16054 WEB-CLIENT Quicktime bitmap multiple header overflow 18730 attempted-user 2006-1467 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"mp4a"; content:"stsc"; distance:0; byte_jump:4,-8,relative,big; content:"stsz"; within:4; byte_test:4,<,257,-8,relative,big; byte_test:4,>,60,8,relative,big; metadata:policy security-ips drop, service http; classtype:attempted-user; 16055 WEB-CLIENT Apple iTunes AAC file handling integer overflow attempt 15822 attempted-dos 2005-4216 tcp $EXTERNAL_NET any -> $HOME_NET 1111 flow:to_server,established; dsize:3; content:"a|0D 0A|"; depth:3; metadata:policy security-ips drop, service http; classtype:attempted-dos; 16091 SPECIFIC-THREATS Macromedia Flash Media Server administration service denial of service attempt 15732 attempted-user 2005-4092 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"dinf|00 00 00 1C|dref|00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0F|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16148 SPECIFIC-THREATS Apple QuickTime and iTunes heap memory corruption attempt attempted-user 2009-2527 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16156, service http, policy balanced-ips drop, policy security-ips drop; 16156 WEB-CLIENT Windows Media Player 6.4 marker object memory corruption www.microsoft.com/technet/security/Bulletin/MS09-052.mspx attempted-user 2009-2997 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16172, service http, policy balanced-ips drop, policy security-ips drop; 16172 EXPLOIT Adobe Acrobat Reader U3D line set heap corruption attempt attempted-user 2009-2998 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16173, service http, policy balanced-ips drop, policy security-ips drop; 16173 EXPLOIT Adobe Acrobat Reader U3D progressive mesh continuation pointer overwrite attempt attempted-user 2009-3458 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16174, service http, policy balanced-ips drop, policy security-ips drop; 16174 EXPLOIT Adobe Acrobat Reader U3D progressive mesh continuation off by one index attempt attempted-user 2009-2988 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16175, service http, policy balanced-ips drop, policy security-ips drop; 16175 EXPLOIT Adobe collab.removeStateModel denial of service attempt attempted-user 2009-2996 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16176, service http, policy balanced-ips drop, policy security-ips drop; 16176 EXPLOIT Adobe collab.addStateModel remote corruption attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".dir"; nocase; http_uri; flowbits:set,http.dir; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert; classtype:misc-activity; 16219 WEB-CLIENT Adobe Director file format transfer attempted-user 2009-3466 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|16220, service http, policy balanced-ips drop, policy security-ips drop; 16220 WEB-CLIENT Adobe Shockwave director file malformed lcsr block memory corruption attempt www.adobe.com/support/security/bulletins/apsb09-16.html attempted-user 2009-3464 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|16223, service http, policy balanced-ips drop, policy security-ips drop; 16223 WEB-CLIENT Adobe Shockwave tSAC pointer overwrite attempt www.adobe.com/support/security/bulletins/apsb09-16.html attempted-user 2009-3465 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|16225, service http, policy security-ips drop; 16225 EXPLOIT Adobe Shockwave arbitrary memory access attempt www.adobe.com/support/security/bulletins/apsb09-16.html attempted-user 2009-3463 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.dir; content:"|FF FF FF FF 01 1F 02|H|00 00 00|6|00 00 FF FF 01 1F 1F EE|"; content:!"|FF FF FF FF|"; within:4; distance:-24; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16293 WEB-CLIENT Adobe Shockwave Flash memory corruption attempt attempted-user 2009-3797 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.swf; metadata: engine shared, soid 3|16316, service http, policy balanced-ips drop, policy security-ips drop; 16316 WEB-CLIENT Adobe Flash Player malformed getPropertyLate actioncode attempt attempted-user 2009-2984 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16320, service http, policy balanced-ips drop, policy security-ips drop; 16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt attempted-user 2009-2995 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16321, service http, policy balanced-ips drop, policy security-ips drop; 16321 WEB-CLIENT Adobe tiff oversized image length attempt attempted-user 2009-2980 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16322, service http, policy balanced-ips drop, policy security-ips drop; 16322 WEB-CLIENT Adobe Reader oversized object width attempt attempted-user 2009-2995 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16323, service http, policy balanced-ips drop, policy security-ips drop; 16323 EXPLOIT Adobe JPEG2k uninitialized QCC memory corruption attempt attempted-user 2009-2993 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16324, service http, policy balanced-ips drop, policy security-ips drop; 16324 WEB-CLIENT Adobe doc.export arbitrary file write attempt attempted-user 2009-2995 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16325, service http, policy balanced-ips drop, policy security-ips drop; 16325 EXPLOIT Adobe JPEG2k uninitialized QCC memory corruption attempt 37331 attempted-user 2009-4324 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"/S/JavaScript"; content:"this.media.newPlayer"; pcre:"/^\x5C?\x28null\x5C?\x29/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16333 WEB-CLIENT Adobe Reader media.newPlayer memory corruption attempt attempted-user 2009-4324 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"&|EA A7 7C 9A 1D C4 1C FE|&|7F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16334 SPECIFIC-THREATS Adobe Reader compressed media.newPlayer memory corruption attempt 37420 attempted-admin 2009-3792 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16337, service http, policy balanced-ips drop, policy security-ips drop; 16337 EXPLOIT Adobe Flash directory traversal attempt www.adobe.com/support/security/bulletins/apsb09-18.html 37192 attempted-user 2009-4195 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"%!PS-Adobe-"; nocase; content:"EPSF-"; within:10; pcre:"/%[^\x0d\x0a]{1000}/smiR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16359 WEB-CLIENT Adobe Illustrator DSC comment overflow attempt 35166 attempted-user 2009-0955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"stsd"; content:"rpza"; distance:12; fast_pattern; content:"|00 00 00 00 00 00|"; within:6; byte_test:2,>,0x1FFC,18,relative,big; metadata:policy security-ips drop, service http; classtype:attempted-user; 16360 WEB-CLIENT Apple QuickTime Image Description Atom sign extension memory corruption attempt support.apple.com/kb/HT3591 attempted-user 2009-3955 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16370, service http, policy balanced-ips drop, policy security-ips drop; 16370 WEB-CLIENT Adobe Reader JP2C Region Atom CompNum memory corruption attempt 37759 attempted-user 2009-3958 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16371, service http, policy security-ips drop; 16371 WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid access www.adobe.com/support/security/bulletins/apsb10-02.html 36665 attempted-user 2009-2990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16373, service http, policy balanced-ips drop, policy security-ips drop; 16373 WEB-CLIENT Adobe Acrobat Reader U3D CLODMeshContinuation code execution attempt www.adobe.com/support/security/bulletins/apsb09-15.html attempted-user 2010-0188 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; flowbits:isset,http.pdf; content:"|EB|/|ED|Z|B9|qX|F4 D8|C|F5|a|BF|+|0D 8C D2 F3 DD|*|EE 09|W|B1 B3 9B|P|EB AD D1 B3 07 A0|4|D8|m|7C 7F EB B5 EF|j|E8 F5|m[+t|8F 7C BC|f|BB 86|ql|F7 C0 C3 E8|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16490 SPECIFIC-THREATS Adobe Reader malformed TIFF remote code execution attempt www.adobe.com/support/security/bulletins/apsb10-07.html attempted-user 2010-0268 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16537, service http, policy balanced-ips drop, policy security-ips drop; 16537 EXPLOIT Windows Media Player ActiveX unknow compression algorithm use arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/ms10-027.mspx attempted-admin 2010-0478 tcp $EXTERNAL_NET any -> $HOME_NET 1755 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16541, policy balanced-ips drop, policy security-ips drop; 16541 EXPLOIT Microsoft Windows Media Service stack overflow attempt www.microsoft.com/technet/security/bulletin/MS10-025.mspx attempted-user 2010-0480 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.avi; metadata: engine shared, soid 3|16543, service http, policy balanced-ips drop, policy security-ips drop; 16543 WEB-CLIENT Microsoft Windows Media Player codec code execution attempt www.microsoft.com/technet/security/bulletin/MS10-026.mspx attempted-user 2010-1241 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16546, service http, policy balanced-ips drop, policy security-ips drop; 16546 EXPLOIT Adobe Reader/Acrobat Pro CFF font parsing heap overflow attempt attempted-user 2010-1279 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16561, service http, policy security-ips drop; 16561 EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 1 www.adobe.com/support/security/bulletins/apsb10-10.html attempted-user 2010-1279 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16562, service http, policy security-ips drop; 16562 EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 2 www.adobe.com/support/security/bulletins/apsb10-10.html attempted-user 2010-1279 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16563, service http, policy security-ips drop; 16563 EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 3 www.adobe.com/support/security/bulletins/apsb10-10.html attempted-user 2010-1279 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16564, service http, policy security-ips drop; 16564 EXPLOIT Adobe Photoshop CS4 TIFF file exploit attempt - 4 www.adobe.com/support/security/bulletins/apsb10-10.html attempted-user 2008-3008 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"unescape|28|'"; content:"GetDetailsString|28|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16578 EXPLOIT Microsoft Windows Media Encoder 9 ActiveX buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-053.mspx attempted-user 2010-0196 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.pdf; content:"stream|0A|U3D"; content:"1|FF FF FF|"; distance:1; byte_jump:2,8,relative,little,post_offset 32; byte_test:4,>=,97612894,0,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 16603 WEB-CLIENT Adobe Reader U3D CLOD integer overflow www.adobe.com/support/security/bulletins/apsb10-09.html 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid=|27|clsid|3A|2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93|27|"; content:"unescape|28 27 25|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16607 SPECIFIC-THREATS RealPlayer RAM Download Handler ActiveX exploit attempt www.kb.cert.org/vuls/id/831457 26130 attempted-user 2007-5601 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid|3D 27|clsid|3A|FDC7A535-4070-4B92-A0EA-D9994BCC0DC5|27|"; fast_pattern:only; nocase; content:"document.getElementById|28 27|"; distance:0; content:"new String|28 27|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 16609 SPECIFIC-THREATS RealPlayer ActiveX Import playlist name buffer overflow attempt attempted-user 2010-1297 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16633, service http, policy balanced-ips drop, policy security-ips drop; 16633 WEB-CLIENT Adobe PDF File containing Flash use-after-free attack attempted-user 2010-1297 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16634, service http, policy balanced-ips drop, policy security-ips drop; 16634 WEB-CLIENT Adobe Flash use-after-free attack attempted-user 2010-1880 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16663, service http, policy security-ips drop; 16663 WEB-CLIENT Windows Media Player JPG header record mismatch memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-033.mspx 40586 attempted-user 2010-1297 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|43 57 53 09 A2 D2 00 00 78 9C EC BD 79 7C 54 C5 D2 37 DE 7D|"; content:"|CF E7 77 BC EB 19 53 BF 99 F7 7C FB B8 D4 4B FA 7C EE E7 AC C7 83 AD 58 D8 F3 35 8B A5 1E B4 67 4D EA 3F EE 9E 3F 79 C9 AB ED 63 B6 F4 58 7A 57|"; within:48; distance:316; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16664 SPECIFIC-THREATS Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt attempted-user 2010-1292 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; flowbits:isset,http.dir; content:"XFIR"; depth:4; content:"pami"; distance:0; byte_test:4,>,0x7FFFFFFF,4,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 16673 WEB-CLIENT Adobe Shockwave DIR file PAMI chunk code execution attempt www.adobe.com/support/security/bulletins/apsb10-12.html 36600 attempted-user 2009-3459 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"1073741838"; pcre:"/(C|#43)(o|#6F)(l|#6C)(o|#6F)(r|#72)(s|#73)\s*1073741838/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16676 SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration 36600 attempted-user 2009-3459 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"FlateDecode"; content:"DecodeParms"; pcre:"/DecodeParms\s*\[[^\]]*Colors\s*\d\d\d\d/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16677 WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration attempted-user 2009-0186 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,caff_request; content:"CAFF|00 01 00 00|desc"; depth:12; nocase; byte_test:4,>,268435455,32,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16683 WEB-MISC Nullsoft Winamp CAF file processing integer overflow attempt 41130 attempted-dos 2010-2204 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-dos; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16801, service http, policy balanced-ips drop, policy security-ips drop; 16801 EXPLOIT Adobe Reader CoolType.dll remote memory corruption denial of service attempt 35028 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(ConvertFile)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(ConvertFile))/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17096 WEB-ACTIVEX AOL WinAmpX ActiveX clsid access 35028 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"F|00|E|00|0|00|B|00|D|00|7|00|7|00|9|00|-|00|4|00|4|00|E|00|E|00|-|00|4|00|A|00|4|00|B|00|-|00|A|00|A|00|2|00|E|00|-|00|7|00|4|00|3|00|C|00|6|00|3|00|F|00|2|00|E|00|5|00|E|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*F\x00E\x000\x00B\x00D\x007\x007\x009\x00-\x004\x004\x00E\x00E\x00-\x004\x00A\x004\x00B\x00-\x00A\x00A\x002\x00E\x00-\x007\x004\x003\x00C\x006\x003\x00F\x002\x00E\x005\x00E\x006\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17097 WEB-ACTIVEX AOL WinAmpX ActiveX clsid unicode access 35028 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"classid|3D 27|clsid|3A|FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6|27|"; content:"unescape|28|"; within:300; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17098 SPECIFIC-THREATS AOL IWinAmpActiveX class ConvertFile buffer overflow attempt attempted-user 2010-2216 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17141, service http, policy balanced-ips drop, policy security-ips drop; 17141 EXPLOIT Adobe Flash invalid data precision arbitrary code execution exploit attempt www.adobe.com/support/security/bulletins/apsb10-16.html attempted-user 2010-0209 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17142, service http, policy balanced-ips drop, policy security-ips drop; 17142 EXPLOIT Adobe Flash Player SWF ActionScript exploit attempt www.adobe.com/support/security/bulletins/apsb10-16.html 40389 attempted-user 2010-1296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"AnglUntF"; nocase; byte_test:4,>,1020,12,relative,big; content:"8BIM"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17143 WEB-CLIENT Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 1 40389 attempted-user 2010-1296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"AnglUntF"; nocase; byte_test:4,>,1020,12,relative,big; content:"8BBR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17144 WEB-CLIENT Adobe Photoshop CS4 ABR file processing buffer overflow attempt - 2 40389 attempted-user 2010-1296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Stylenum"; nocase; byte_test:4,>,1020,8,relative,big; content:"8BSL"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17145 WEB-CLIENT Adobe Photoshop CS4 ASL file processing buffer overflow attempt 40389 attempted-user 2010-1296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00|G|00|r|00|a|00|d|00|i|00|e|00|n|00|t"; nocase; byte_test:4,>,1020,13,relative,big; content:"8BGR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17146 WEB-CLIENT Adobe Photoshop CS4 GRD file processing buffer overflow attempt 40389 attempted-user 2010-1296 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"AnglUntF|23|Ang"; byte_test:4,>,1020,8,relative,big; metadata:policy security-ips drop, service http; classtype:attempted-user; 17147 SPECIFIC-THREATS Adobe Photoshop CS4 ABR file processing buffer overflow attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17179, service http, policy balanced-ips drop, policy security-ips drop; 17179 WEB-CLIENT Adobe Director file pamm record exploit attempt attempted-user 2010-2864 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17180, service http, policy balanced-ips drop, policy security-ips drop; 17180 WEB-CLIENT Adobe Director file LsCM record exploit attempt attempted-user 2010-2864 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17181, service http, policy balanced-ips drop, policy security-ips drop; 17181 WEB-CLIENT Adobe Director file LsCM record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17182, service http, policy balanced-ips drop, policy security-ips drop; 17182 WEB-CLIENT Adobe Director file tSAC record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17183, service http, policy balanced-ips drop, policy security-ips drop; 17183 WEB-CLIENT Adobe Director file tSAC record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17184, service http, policy balanced-ips drop, policy security-ips drop; 17184 WEB-CLIENT Adobe Director file tSAC record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17185, service http, policy balanced-ips drop, policy security-ips drop; 17185 WEB-CLIENT Adobe Director file rcsL record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17186, service http, policy balanced-ips drop, policy security-ips drop; 17186 WEB-CLIENT Adobe Director file rcsL record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17187, service http, policy balanced-ips drop, policy security-ips drop; 17187 WEB-CLIENT Adobe Director file rcsL record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17188, service http, policy balanced-ips drop, policy security-ips drop; 17188 WEB-CLIENT Adobe Director file rcsL record exploit attempt attempted-user 2010-2869 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17189, service http, policy balanced-ips drop, policy security-ips drop; 17189 WEB-CLIENT Adobe Director file rcsL record exploit attempt attempted-user 2010-2871 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17190, service http, policy balanced-ips drop, policy security-ips drop; 17190 EXPLOIT Adobe Director remote code execution attempt attempted-user 2010-2872 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17191, service http, policy balanced-ips drop, policy security-ips drop; 17191 EXPLOIT Adobe Director remote code execution attempt attempted-user 2010-2873 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17192, service http, policy balanced-ips drop, policy security-ips drop; 17192 EXPLOIT Adobe Director remote code execution attempt attempted-user 2010-2874 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17193, service http, policy balanced-ips drop, policy security-ips drop; 17193 EXPLOIT Adobe Director remote code execution attempt attempted-user 2010-2875 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17194, service http, policy balanced-ips drop, policy security-ips drop; 17194 EXPLOIT Adobe Director file tSAC tag exploit attempt attempted-user 2010-2876 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17195, service http, policy balanced-ips drop, policy security-ips drop; 17195 EXPLOIT Adobe Director file exploit attempt attempted-user 2010-2877 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17196, service http, policy balanced-ips drop, policy security-ips drop; 17196 EXPLOIT Adobe Director file exploit attempt attempted-user 2010-2879 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17197, service http, policy balanced-ips drop, policy security-ips drop; 17197 EXPLOIT Adobe Director file exploit attempt attempted-user 2010-2878 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17198, service http, policy balanced-ips drop, policy security-ips drop; 17198 EXPLOIT Adobe Director file exploit attempt attempted-user 2010-2863 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17199, service http, policy balanced-ips drop, policy security-ips drop; 17199 WEB-CLIENT Adobe Director file file lRTX overflow attempt attempted-user 2010-2864 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17200, service http, policy balanced-ips drop, policy security-ips drop; 17200 WEB-CLIENT Adobe Director file LsCM overflow attempt attempted-user 2010-2865 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17201, service http, policy balanced-ips drop, policy security-ips drop; 17201 WEB-CLIENT Adobe Director file file LsCM overflow attempt attempted-user 2010-2866 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17202, service http, policy balanced-ips drop, policy security-ips drop; 17202 WEB-CLIENT Adobe Director file file Shockwave 3D overflow attempt attempted-user 2010-2867 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17203, service http, policy balanced-ips drop, policy security-ips drop; 17203 WEB-CLIENT Adobe Director file file rcsL overflow attempt attempted-user 2010-2870 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.dir; metadata: engine shared, soid 3|17204, service http, policy balanced-ips drop, policy security-ips drop; 17204 WEB-CLIENT Adobe Director file file mmap overflow attempt attempted-user 2010-1818 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"_Marshaled_pUnk"; nocase; pcre:"/name\s*=\s*(?P<q1>\x22|\x27|)_Marshaled_pUnk(?P=q1)/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17211 WEB-CLIENT Quicktime marshaled punk remote code execution attempted-user 2010-0188 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"stream|0A 78 9C ED 5B 5B 6F E2 38 14 7E EF AF 88 B2 6F CB 0E E6 0E AD 0A 23 73 5B 68 9B 02 E5 DA BE 8C 4C E2 04 97 24 0E B1 D3 00 BF 7E ED 24 B4 94 99 DD 19 69 1F 56 5A 39 D2 07 E7 F6 1D 1F DB 71 9E 7C|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17214 SPECIFIC-THREATS Adobe Reader and Acrobat libtiff TIFFFetchShortPair stack buffer overflow attempt attempted-user 2010-0188 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"stream|0A 78 9C ED 5B 49 73 E2 38 14 BE F7 AF 70 79 6E C3 34 62 87 A4 42 BA C4 36 90 C4 01 C2 9A 5C BA 84 2D 1B 07 DB 32 96 1C 03 BF 7E 24 2F 6C D3 3D 9D C3 54 4D 4D 95 5C F5 81 DE|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17215 SPECIFIC-THREATS Adobe Reader and Acrobat libtiff TIFFFetchShortPair stack buffer overflow attempt 25307 attempted-user 2007-3035 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|5B B7 D6 CA 91 94 5C C8 DB B1 29 8F FA A4 39 A6 9B B3 65 AD 6D CE EC 2C DB 28 0F FB FD E1 F9 F5 F9 E1 F9 7C 9E 83 C1 41 7B F6 26 93 40 0A B0 0C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17228 SPECIFIC-THREATS Microsoft Windows Media Player skin decompression code execution attempt attempted-user 2010-2883 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|35 3E 5D 0A 3E 3E 0A 73 74 61 72 74 78 72 65 66 0A 32 34 36 31 32 35 0A 25 25 45 4F 46 0A 0D 0A 25 53 49 47 4E 41 54 55 52 45 3A 20 E2 DA 47 7E AC 80 D7 7E AB 80|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17233 SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt www.adobe.com/support/security/advisories/apsa10-02.html attempted-user 2010-0818 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.wmv; flowbits:isset,http.wma; flowbits:isset,http.asf; metadata: engine shared, soid 3|17242, service http, policy balanced-ips drop, policy security-ips drop; 17242 WEB-CLIENT Windows Media Player ASF file arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS10-062.mspx attempted-user 2010-2884 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.swf; content:"|6C 23 B1 63 9A 87 31 36 CC 6F DD BA 75 7F C7 D0|"; depth:160; offset:144; content:"|9F 4E AA 98 1C 24 BF 33 AE 78 A5 58 32 B3 DE 54|"; within:16; distance:352; content:"|05 7D 9F EA A8 E5 CA A6 73 4A CE BC 5C 72 65 63|"; within:16; distance:240; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17257 SPECIFIC-THREATS Adobe Flash Player and Reader remote code execution attempt www.adobe.com/support/security/advisories/apsa10-03.html 13530 attempted-user 2005-2052 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.avi; content:"strf"; content:"|08 00|"; within:2; distance:18; byte_test:4,>,0x100,16,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-user; 17272 WEB-CLIENT RealNetworks RealPlayer AVI parsing buffer overflow attempt 44203 attempted-user 2010-2862 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|01|pmaxp|02 ED 0A 7B 00 00|p|0E 00 00 00 20|name|EA 2E F3 EE 00 00|p.|00 00 04|aposts|F1|o|84 00 00|t|8F 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17288 SPECIFIC-THREATS Adobe Acrobat font parsing integer overflow attempt 20138 attempted-user 2006-4965 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"quicktime|20|type|3D 22|application"; nocase; content:"qtnext|3D 22|file|3A 2F 2F|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17290 WEB-CLIENT Quicktime Plug-In Security Bypass 17202 attempted-user 2006-0323 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.swf; content:"application/x-shockwave-flash"; nocase; http_header; file_data; content:"|46 57 53 05 CF 00 00 00 60 90 90 90 90 90 90 90 90 90 90|"; within:19; metadata:policy security-ips drop, service http; classtype:attempted-user; 17334 SPECIFIC-THREATS RealPlayer SWF Flash File buffer overflow attempt 14276 attempted-user 2005-2310 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; file_data; content:"ID3"; within:3; pcre:"/T(PE(1|2)|IT2)/iR"; byte_test:4,>,0x190,0,relative,big; metadata:policy security-ips drop, service http; classtype:attempted-user; 17351 WEB-CLIENT Winamp ID3v2 Tag Handling Buffer Overflow attempt 21910 attempted-user 2007-0104 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established, to_client; flowbits:isset,http.pdf; content:"3 0 obj|0D 3C 3C 20 0D|/Type /Pages|20 0D|"; fast_pattern; nocase; content:"/Kids|20 5B 20|3 0 R |5D|"; within:15; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17361 SPECIFIC-THREATS Adobe Acrobat Reader PDF Catalog Handling denial of service attempt projects.info-pull.com/moab/MOAB-06-01-2007.html 22844 attempted-user 2007-0714 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"udta"; content:"|A9|nam|FF|"; distance:0; byte_test:2,>,251,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17372 WEB-CLIENT Apple QuickTime udta atom parsing heap overflow vulnerability 26342 attempted-user 2007-4675 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 00 00 00 00 00 01 A6 73 65 61 6E 00 00 00 01 00 00 00 04 00 00 00 00 00 00 41 41 70 64 61 74 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17373 SPECIFIC-THREATS QuickTime panorama atoms buffer overflow attempt docs.info.apple.com/article.html?artnum=306896 attempted-user 2008-3625 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"|00 00 00 01 0F 00 00 00 FE B4 00 00 FE 01 1A C4 42 01 1A C4 41 1A EC EC 42 81 1A C4 43 81 00 00|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17381 SPECIFIC-THREATS Apple QuickTime PDAT Atom parsing buffer overflow attempt support.apple.com/kb/HT3027 26130 attempted-user 2007-5601 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; fast_pattern:only; nocase; content:"aaaaaaaaaaaaaaaaaa"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17425 SPECIFIC-THREATS RealPlayer ActiveX Import playlist name buffer overflow attempt 15382 attempted-user 2005-2630 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|50 4B 03 04 14 00 00 00 08 00 91 98 6E 33 EB 71 F9 B3 1D 00 00 00 00 01 00 00 0B 00 00 00 53 68 75 66 66 6C 65 2E 62 6D 70 73 F2 DD C1 E5 08 04|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17461 SPECIFIC-THREATS RealNetworks RealPlayer zipped skin file buffer overflow attempt 33390 attempted-user 2009-0007 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 00 00 56 6A 70 65 67 00 00 00 00 00 00 00 01 00 00 00 00 61 70 70 6C 00 00 00 00 00 00 02 00 00 02 00 03 00 48 00 00 00 48 00 00 00 00 00 00 00 01 0C 50 68 6F 74 6F 20 2D 20 4A 50 45 47 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17470 SPECIFIC-THREATS Apple QuickTime STSD JPEG atom heap corruption attempt 36328 attempted-user 2009-2799 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"|81 F6 3B 80 00 00 40 80 FF FF FF 87 25 B8 20 00|"; content:"|F9 31 40 00 52 EA FB EF BE FB EF BE FB EF BE FB|"; within:16; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17523 SPECIFIC-THREATS Apple QuickTime H.264 Movie File Buffer Overflow 35282 attempted-user 2009-1855 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|3C 3C 2F|Subtype|2F|U3D|2F|Length"; nocase; content:"|48 89 EC 55 7B 4C 53 69 16 BF 3C 2C F4 21 A0 C2|"; content:"|95 96 0B 5C 0A 22 BD 76 78 8A D8 5A 40 1E 22 2D|"; within:16; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17526 SPECIFIC-THREATS Adobe Acrobat and Adobe Reader U3D RHAdobeMeta Buffer Overflow 23650 attempted-user 2007-2295 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"|4E E7 32 C0 0E 18 54 0B C4 5A CD 49 9F 51 2F D4 BE 30 24 B6 BC 7D 7A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17531 SPECIFIC-THREATS Apple Quicktime MOV File JVTCompEncodeFrame Heap Overflow protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"application/smil"; nocase; http_header; pcre:"/^Content-Type\x3A\s*application\x2Fsmil/smiH"; flowbits:set,quicktime.smil; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 17547 WEB-CLIENT Apple Quicktime SMIL transfer 24873 attempted-user 2007-2394 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,quicktime.smil; content:"<smil>"; pcre:"/(author|copyright|information)/smiR"; content:"content|3D|"; distance:1; nocase; isdataat:1024,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17548 WEB-CLIENT Apple Quicktime SMIL File Handling Integer Overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".pmd"; nocase; http_uri; flowbits:set,http.pmd; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:misc-activity; 17552 WEB-CLIENT Adobe Pagemaker file request 25989 attempted-user 2007-5169 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.pmd; content:"Courier|20|New|61 61 61 61 61 61 61 61 61|"; fast_pattern:only; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17553 SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt 33652 attempted-user 2009-0375 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|1F 5C 80 00 00 08 72 61 6D 34 2E 72 65 63 00 00 00 00 00 00 01 79|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17561 SPECIFIC-THREATS RealNetworks RealPlayer IVR Overly Long Filename Code Execution attempt 32896 attempted-user 2008-5499 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"|43 57 53 07 C5 01 00 00 78 DA 74 50 B1 4E C3 30 14 BC 38 A1 71 11 2A 52 55 29 0C FD 81 2E 2C B0 A2 B6 54 42 62 68 1A B5 1D BA 45 A6 44 25 22 89 A3 C4 20 F8 02 3A 75 8C D4 81 FF E1 9B 58 CA B3 9D 15 0F A7 77 E7 F7 CE E7 F7 01 FC 02 6C 03 0C 1C CC D8 89 4E B7 03 3A 91 43 30 EE 0D 08 A9 8A E2 38 12 DB 57 B1 4B EA EB F5 9B 92 38 F5 6E 74 43 B4 DF E0 1C 46 89 77 99 7C 12 19 44 5A 89 B2 4C 8B 5A 89 2C 4B 2A 4C 57 85 50 E9 7B 82 B8 92 52 61 2B F3 5C 14 CF 28 2B A9 A4 FA 2C 13 E4 22 2D 40 23 D4 B9 4A 54 54 C9 F2 21 13 BB 1A 0D 03 C7 B0 DF FF 66 F8 31 C4 19 1A E9 C0 75 3E 36 82 40 73 05 CE 7C 1D C4 C2 91 AE 7C 46 55 DB EB 2E 1B 07 EE 52 5B DC 1A 0B CF C8 67 A1 1D D4 9D 16 FE 19 0C BE C8 76 D1 78 F0 C0 3B 21 11 27 B0 C4 3F 5C E8 BD B8 23 B0 7C 8B 41 9B B5 E9 82 73 5F A7 E3 98 2C 16 CD A5 8D C5 3C C7 77 B5 D8 BD 0B 30 76 EF A9 DC 0F C9 65 BE 9E AE 66 F1 7C FA 18 42 BD A4 B5 5D A3 D9 86 B1 D3 6F 07 ED BF 7D EB C4 59 9B 2E C0 84 E8 1F 00 00 00 FF FF 03 00 89 17 52 74|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17606 SPECIFIC-THREATS Adobe Flash ASnative command execution attempt www.adobe.com/support/security/bulletins/apsb08-24.html 26338 attempted-user 2007-4677 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.quicktime; metadata: engine shared, soid 3|17608, service http, policy balanced-ips drop, policy security-ips drop; 17608 WEB-CLIENT Apple QuickTime color table atom movie file handling heap corruption attempt 33405 attempted-user 2009-0398 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; flowbits:isset,http.quicktime; content:"ctts"; content:"|00 00 00 00 00 00 00 8F 00 00 00 01 00 00 00 14 00 FF FF FF|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17610 WEB-CLIENT GStreamer QuickTime file parsing multiple heap overflow attempt 33405 attempted-user 2009-0398 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; flowbits:isset,http.quicktime; content:"stss"; content:"|00 00 00 00 00 00 00 03 00 00 00 01 00 FF FF FF|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17611 WEB-CLIENT GStreamer QuickTime file parsing multiple heap overflow attempt 33405 attempted-user 2009-0398 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; flowbits:isset,http.quicktime; content:"stts"; content:"|00 00 00 00 00 00 00 01 EE 00 00 26 00 00 04 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17612 WEB-CLIENT GStreamer QuickTime file parsing multiple heap overflow attempt 30370 attempted-user 2007-5400 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.swf; content:"|78 00 05 5F 00 00 0F A0 00 00 0C 01 00 43 02 FF FF FF BF 00 39|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17633 WEB-CLIENT RealNetworks RealPlayer SWF frame handling buffer overflow attempt 28695 attempted-user 2007-0071 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.swf; metadata: engine shared, soid 3|17647, service http, policy security-ips drop; 17647 WEB-CLIENT Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt www.adobe.com/support/security/bulletins/apsb08-11.html 31999 attempted-admin 2007-6432 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.pmd; content:"Magenta"; nocase; content:"|41 41 41 41 41|"; within:5; distance:241; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17650 SPECIFIC-THREATS Adobe Pagemaker Key Strings Stack Buffer Overflow attempt 15332 attempted-user 2005-2628 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.swf; content:"|0B 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8 B4|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17658 SPECIFIC-THREATS Adobe Flash frame type identifier memory corruption attempt 17202 attempted-user 2005-2922 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Transfer-Encoding"; nocase; http_header; content:"chunked"; fast_pattern; nocase; http_header; content:"Content-Type|3A|"; nocase; http_header; pcre:"/Content-Type\x3a[^\x10\x13]*real(audio|video)/smiH"; file_data; isdataat:1024,relative; content:!"|0A|"; within:1024; metadata:policy security-ips drop, service http; classtype:attempted-user; 17666 WEB-CLIENT RealNetworks RealPlayer invalid chunk size heap overflow attempt 28874 attempted-user 2008-1765 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.bmp; content:"Content-Type: text/plain|0D 0A 0D 0A|BM"; fast_pattern:only; content:"BM"; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4, >, 256, 36, relative, little; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17678 WEB-CLIENT Adobe BMP image handler buffer overflow attempt 12697 attempted-user 2005-0611 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"LIST|3D|1C|3D|"; content:"INFOINAM|3D|10|3D|00|3D|00|3D|00AAAAAAAAAAAA"; within:32; distance:8; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 17698 SPECIFIC-THREATS RealNetworks RealPlayer wav chunk string overflow attempt in email 12697 attempted-user 2005-0611 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,wav_file.request; metadata: engine shared, soid 3|17700, service http, policy balanced-ips drop, policy security-ips drop; 17700 WEB-CLIENT RealNetworks RealPlayer wav chunk string overflow attempt 25989 attempted-user 2007-5169 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,http.pmd; content:"|61 61 61 61 61 61 61 61 61 61 61 61 0F 42 01 05 41 41 41 41 41 41 41 41|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17735 SPECIFIC-THREATS Adobe Pagemaker Font Name Buffer Overflow attempt attempted-user 2010-2745 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.wmv; metadata: engine shared, soid 3|17773, service http, policy balanced-ips drop, policy security-ips drop; 17773 EXPLOIT Microsoft Windows Media Player Firefox plugin memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-083.mspx 42682 attempted-user 2010-2873 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.dir; content:"rcsL"; content:"|FF F0 02 67|"; within:4; distance:203; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17803 WEB-CLIENT Adobe Shockwave Director rcsL chunk memory corruption attempt www.adobe.com/support/security/bulletins/apsb10-20.html 44291 attempted-user 2010-3653 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.dir; content:"rcsL"; content:"|01 02 4C 00 00 00 00 80 00 00 F0 FF F0 02 67 25 A2 01 33 41|"; within:20; distance:192; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17806 SPECIFIC-THREATS Adobe Shockwave Director rcsL chunk remote code execution attempt 44291 attempted-user 2010-3653 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.dir; content:"rcsL"; content:"|00 00 00 80 00 00 F0 41 41 41 41 41 41 AB 41 05 43 01 57 17|"; within:20; distance:484; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17807 SPECIFIC-THREATS Adobe Shockwave Director rcsL chunk remote code execution attempt attempted-user 2010-3654 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|94 C5 F6 3F 3E E5 D9 7D 76 53 37 D9 10 62 28 06 8D 44 71|"; content:"|CC F3 6C A1 DC 0F DF DF EB F5 FD E7 8B 99 E7 99 39 73 E6 CC 99|"; distance:0; content:"|EE 7E F1 F1 1E E9 C8 72 36 A9 3A 54 1F 2A 1A C4 58 B7 DB|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17808 SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption attempt www.adobe.com/support/security/advisories/apsa10-05.html protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"video/x-quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fx-quicktime/smiH"; flowbits:set,http.quicktime; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 17809 WEB-CLIENT quicktime movie file transfer 44684 attempted-user 2010-3648 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18180, service http, policy balanced-ips drop, policy security-ips drop; 18180 EXPLOIT Adobe Flash Player ActionScript remote code execution attempt www.adobe.com/support/security/bulletins/apsb10-26.html attempted-user 2010-3965 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18222, service http, policy balanced-ips drop, policy security-ips drop; 18222 WEB-CLIENT Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt www.microsoft.com/technet/security/Bulletin/MS10-094.mspx attempted-user 2010-3965 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18223, service http, policy balanced-ips drop, policy security-ips drop; 18223 WEB-CLIENT Microsoft Windows Media Encoder winietenu.dll dll-load exploit attempt www.microsoft.com/technet/security/Bulletin/MS10-094.mspx attempted-user 2010-3965 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18224, service http, policy balanced-ips drop, policy security-ips drop; 18224 WEB-CLIENT Microsoft Windows Media Encoder asferrorenu.dll dll-load attempt www.microsoft.com/technet/security/Bulletin/MS10-094.mspx attempted-user 2010-3965 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18225, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 18225 NETBIOS Microsoft Windows Media Encoder wmerrorenu.dll dll-load exploit attempt www.microsoft.com/technet/security/Bulletin/MS10-094.mspx attempted-user 2010-3965 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18226, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 18226 NETBIOS Microsoft Windows Media Encoder swinietenu.dll dll-load exploit attempt www.microsoft.com/technet/security/Bulletin/MS10-094.mspx attempted-user 2010-3965 tcp $HOME_NET 445 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18227, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 18227 NETBIOS Microsoft Windows Media Encoder asferrorenu.dll dll-load exploit attempt www.microsoft.com/technet/security/Bulletin/MS10-094.mspx attempted-user 2010-3952 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.fpx; metadata: engine shared, soid 3|18229, service http, policy balanced-ips drop, policy security-ips drop; 18229 SPECIFIC-THREAT Microsoft FlashPix tile length overflow attempt www.microsoft.com/technet/security/bulletin/MS10-105.mspx attempted-user 2010-3956 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.otf; metadata: engine shared, soid 3|18233, service http, policy balanced-ips drop, policy security-ips drop; 18233 WEB-CLIENT Microsoft Publisher Adobe Font Driver code execution attempt www.microsoft.com/technet/security/bulletin/MS10-091.mspx attempted-user 2010-3951 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18237, service http, policy balanced-ips drop, policy security-ips drop; 18237 WEB-CLIENT Flashpix graphics filter fpx32.flt remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-105.mspx 12238 attempted-user 2005-0043 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"[playlist]"; pcre:"/^File[0-9]+=http\x3a\x2f\x2f[^\n]{150}/Rsmi"; metadata:policy security-ips drop; classtype:attempted-user; 3471 WEB-CLIENT iTunes playlist URL overflow attempt 12698 attempted-user 2005-0455 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<smil>"; nocase; content:"system-screen-size=|22|"; distance:0; nocase; isdataat:256; content:!"|22|"; within:256; metadata:policy security-ips drop, service http; classtype:attempted-user; 3473 WEB-CLIENT RealPlayer SMIL file overflow attempt 793 attempted-user 1999-1110 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"22D6F312-B0F6-11D0-94AB-0080C74C7E95"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22D6F312-B0F6-11D0-94AB-0080C74C7E95/si"; metadata:policy security-ips drop; classtype:attempted-user; 4152 WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access 1221 attempted-user 2000-0400 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"05589FA1-C356-11CE-BF01-00AA0055595A"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05589FA1-C356-11CE-BF01-00AA0055595A/si"; metadata:policy security-ips drop; classtype:attempted-user; 4158 WEB-ACTIVEX Windows Media Player Active Movie ActiveX Object Access protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"video/quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fquicktime/smiH"; flowbits:set,http.quicktime; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 4678 WEB-CLIENT quicktime movie file transfer 15308 attempted-user 2005-2754 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; metadata:policy security-ips drop; classtype:attempted-user; 4679 WEB-CLIENT quicktime movie file component name integer overflow multipacket attempt docs.info.apple.com/article.html?artnum=302772 16644 attempted-user 2006-0005 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"EMBED"; nocase; content:"src"; distance:0; nocase; pcre:"/<EMBED(\s+|\s+[^>]*?\s+)src\s*=\s*(\x22[^\x22]{2082}|\x27[^\x27]{2082}|[^\r\n\s]{2082})/smi"; metadata:policy security-ips drop; classtype:attempted-user; 5710 WEB-CLIENT Windows Media Player Plugin for Non-IE browsers buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms06-006.mspx 16633 attempted-admin 2006-0006 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BM|00 00 00 00|"; pcre:"/^BM\x00\x00\x00\x00/sm"; metadata:policy security-ips drop; classtype:attempted-admin; 5711 WEB-CLIENT Windows Media Player zero length bitmap heap overflow attempt www.microsoft.com/technet/security/bulletin/ms06-005.mspx 16633 attempted-admin 2006-0006 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BM"; byte_test:4,<,14,8,little,relative; pcre:"/^BM/sm"; metadata:policy security-ips drop; classtype:attempted-admin; 5712 WEB-CLIENT Windows Media Player invalid data offset bitmap heap overflow attempt www.microsoft.com/technet/security/bulletin/ms06-005.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"?c="; nocase; http_uri; content:"&g="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"User-Agent|3A| Daemon"; fast_pattern; nocase; http_header; metadata:policy security-ips alert, service http; classtype:misc-activity; 6368 SPYWARE-PUT Adware flashtrack media/spoton runtime detection - update request www.spywareguide.com/product_show.php?id=477 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/js/jsnew2.php?"; fast_pattern; nocase; http_uri; content:"grp="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ft_id="; nocase; http_uri; content:"c="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"k="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6371 SPYWARE-PUT Adware flashtrack media/spoton runtime detection - pop up ads www.spywareguide.com/product_show.php?id=477 17074 attempted-user 2006-1249 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; byte_test:4,>,8388606,56,little,relative; metadata:policy security-ips drop; classtype:attempted-user; 6505 WEB-CLIENT quicktime fpx file SectNumMiniFAT overflow attempt 17953 attempted-user 2006-1460 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"udta"; byte_test:4,>,4294967291,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6506 WEB-CLIENT quicktime udta atom overflow attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B|00|4|00|D|00|C|00|8|00|D|00|D|00|9|00|-|00|2|00|C|00|C|00|1|00|-|00|4|00|0|00|8|00|1|00|-|00|9|00|B|00|2|00|B|00|-|00|2|00|0|00|D|00|7|00|0|00|3|00|0|00|2|00|3|00|4|00|E|00|F|00|"; fast_pattern:only; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*B\x004\x00D\x00C\x008\x00D\x00D\x009\x00-\x002\x00C\x00C\x001\x00-\x004\x000\x008\x001\x00-\x009\x00B\x002\x00B\x00-\x002\x000\x00D\x007\x000\x003\x000\x002\x003\x004\x00E\x00F\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 6680 WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID unicode access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx attempted-user 2006-1303 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; metadata:policy security-ips drop; classtype:attempted-user; 6681 WEB-ACTIVEX Windows Media Transform Effects ActiveX CLSID access www.microsoft.com/technet/security/Bulletin/MS06-021.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/lordofsearchD_468X60.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"aresflashdownloader.com"; nocase; http_header; pcre:"/^Host|3A|[^\r\n]*aresflashdownloader\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7142 SPYWARE-PUT Adware ares flash downloader 2.04 runtime detection www.download2you.com/details_page.asp?titleID=12388 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Flashbar"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"X"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Flashbar[^\r\n]*Toolbar[^\r\n]*X/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7581 SPYWARE-PUT Hijacker flashbar runtime detection - user-agent data.icxo.com/htmlnews/2006/07/10/875297.htm attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C1145550-A454-11D4-9020-00D0B7239081"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C1145550-A454-11D4-9020-00D0B7239081/si"; metadata:policy security-ips drop; classtype:attempted-user; 7888 WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"C|00|1|00|1|00|4|00|5|00|5|00|5|00|0|00|-|00|A|00|4|00|5|00|4|00|-|00|1|00|1|00|D|00|4|00|-|00|9|00|0|00|2|00|0|00|-|00|0|00|0|00|D|00|0|00|B|00|7|00|2|00|3|00|9|00|0|00|8|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x001\x001\x004\x005\x005\x005\x000\x00-\x00A\x004\x005\x004\x00-\x001\x001\x00D\x004\x00-\x009\x000\x002\x000\x00-\x000\x000\x00D\x000\x00B\x007\x002\x003\x009\x000\x008\x001\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 7889 WEB-ACTIVEX AOLFlash.AOLFlash ActiveX CLSID unicode access attempted-user 2007-6244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D27CDB6E-AE6D-11CF-96B8-444553540000"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11CF-96B8-444553540000\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*navigateToURL|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11CF-96B8-444553540000\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.navigateToURL)\s*\(/si"; metadata:policy security-ips alert, policy security-ips drop, service http; classtype:attempted-user; 7978 WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX clsid access www.adobe.com/support/security/bulletins/apsb07-20.html attempted-user 2007-6244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"D|00|2|00|7|00|C|00|D|00|B|00|6|00|E|00|-|00|A|00|E|00|6|00|D|00|-|00|1|00|1|00|C|00|F|00|-|00|9|00|6|00|B|00|8|00|-|00|4|00|4|00|4|00|5|00|5|00|3|00|5|00|4|00|0|00|0|00|0|00|0|00|"; fast_pattern:only; nocase; pcre:"/1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, policy security-ips drop, service http; classtype:attempted-user; 7979 WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash ActiveX clsid unicode access www.adobe.com/support/security/bulletins/apsb07-20.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ShockwaveFlash.ShockwaveFlash.9"; fast_pattern:only; pcre:"/(?P<c>\w+)\s*=\s*(\x22ShockwaveFlash\.ShockwaveFlash\.9\x22|\x27ShockwaveFlash\.ShockwaveFlash\.9\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ShockwaveFlash\.ShockwaveFlash\.9\x22|\x27ShockwaveFlash\.ShockwaveFlash\.9\x27)\s*\)/smi"; metadata:policy security-ips alert, policy security-ips drop, service http; classtype:attempted-user; 7980 WEB-ACTIVEX ShockwaveFlash.ShockwaveFlash.9 ActiveX function call access www.securityfocus.com/archive/1/443383/30/150/threaded 14945 attempted-user 2005-2710 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<imfl>"; nocase; pcre:"/<[^>]*?\x25/ROsmi"; metadata:policy security-ips drop; classtype:attempted-user; 8091 WEB-CLIENT RealNetworks RealPlayer error message format string vulnerability attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|2|00|B|00|F|00|2|00|5|00|D|00|5|00|-|00|8|00|C|00|1|00|7|00|-|00|4|00|B|00|2|00|3|00|-|00|B|00|C|00|8|00|0|00|-|00|D|00|3|00|4|00|8|00|8|00|A|00|B|00|D|00|D|00|C|00|6|00|B|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*0\x002\x00B\x00F\x002\x005\x00D\x005\x00-\x008\x00C\x001\x007\x00-\x004\x00B\x002\x003\x00-\x00B\x00C\x008\x000\x00-\x00D\x003\x004\x008\x008\x00A\x00B\x00D\x00D\x00C\x006\x00B\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8376 WEB-ACTIVEX QuickTime Object ActiveX CLSID unicode access 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0FDF6D6B-D672-463B-846E-C6FF49109662"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0FDF6D6B-D672-463B-846E-C6FF49109662\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*0FDF6D6B-D672-463B-846E-C6FF49109662\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8377 WEB-ACTIVEX RealPlayer Download Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"0|00|F|00|D|00|F|00|6|00|D|00|6|00|B|00|-|00|D|00|6|00|7|00|2|00|-|00|4|00|6|00|3|00|B|00|-|00|8|00|4|00|6|00|E|00|-|00|C|00|6|00|F|00|F|00|4|00|9|00|1|00|0|00|9|00|6|00|6|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*0\x00F\x00D\x00F\x006\x00D\x006\x00B\x00-\x00D\x006\x007\x002\x00-\x004\x006\x003\x00B\x00-\x008\x004\x006\x00E\x00-\x00C\x006\x00F\x00F\x004\x009\x001\x000\x009\x006\x006\x002\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8378 WEB-ACTIVEX RealPlayer Download Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"224E833B-2CC6-42D9-AE39-90B6A38A4FA2"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m13>\x22|\x27|)(?P<id1>.+?)(?P=m13)(\s|>)[^>]*\s*classid\s*=\s*(?P<q33>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*224E833B-2CC6-42D9-AE39-90B6A38A4FA2\s*}?\s*(?P=q33)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q34>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*224E833B-2CC6-42D9-AE39-90B6A38A4FA2\s*}?\s*(?P=q34)(\s|>)[^>]*\s*id\s*=\s*(?P<m14>\x22|\x27|)(?P<id2>.+?)(?P=m14)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8381 WEB-ACTIVEX RealPlayer SMIL Download Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|2|00|4|00|E|00|8|00|3|00|3|00|B|00|-|00|2|00|C|00|C|00|6|00|-|00|4|00|2|00|D|00|9|00|-|00|A|00|E|00|3|00|9|00|-|00|9|00|0|00|B|00|6|00|A|00|3|00|8|00|A|00|4|00|F|00|A|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q35>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x002\x004\x00E\x008\x003\x003\x00B\x00-\x002\x00C\x00C\x006\x00-\x004\x002\x00D\x009\x00-\x00A\x00E\x003\x009\x00-\x009\x000\x00B\x006\x00A\x003\x008\x00A\x004\x00F\x00A\x002\x00(}\x00)?(?P=q35)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8382 WEB-ACTIVEX RealPlayer SMIL Download Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m5>\x22|\x27|)(?P<id1>.+?)(?P=m5)(\s|>)[^>]*\s*classid\s*=\s*(?P<q13>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93\s*}?\s*(?P=q13)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q14>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93\s*}?\s*(?P=q14)(\s|>)[^>]*\s*id\s*=\s*(?P<m6>\x22|\x27|)(?P<id2>.+?)(?P=m6)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8383 WEB-ACTIVEX RealPlayer RAM Download Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"2|00|F|00|5|00|4|00|2|00|A|00|2|00|E|00|-|00|E|00|D|00|C|00|9|00|-|00|4|00|B|00|F|00|7|00|-|00|8|00|C|00|B|00|1|00|-|00|8|00|7|00|C|00|9|00|9|00|1|00|9|00|F|00|7|00|F|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q15>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*2\x00F\x005\x004\x002\x00A\x002\x00E\x00-\x00E\x00D\x00C\x009\x00-\x004\x00B\x00F\x007\x00-\x008\x00C\x00B\x001\x00-\x008\x007\x00C\x009\x009\x001\x009\x00F\x007\x00F\x009\x003\x00(}\x00)?(?P=q15)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8384 WEB-ACTIVEX RealPlayer RAM Download Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3B46067C-FD87-49B6-8DDD-12F0D687035F"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m3>\x22|\x27|)(?P<id1>.+?)(?P=m3)(\s|>)[^>]*\s*classid\s*=\s*(?P<q8>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B46067C-FD87-49B6-8DDD-12F0D687035F\s*}?\s*(?P=q8)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q9>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B46067C-FD87-49B6-8DDD-12F0D687035F\s*}?\s*(?P=q9)(\s|>)[^>]*\s*id\s*=\s*(?P<m4>\x22|\x27|)(?P<id2>.+?)(?P=m4)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8385 WEB-ACTIVEX RealPlayer Playback Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|B|00|4|00|6|00|0|00|6|00|7|00|C|00|-|00|F|00|D|00|8|00|7|00|-|00|4|00|9|00|B|00|6|00|-|00|8|00|D|00|D|00|D|00|-|00|1|00|2|00|F|00|0|00|D|00|6|00|8|00|7|00|0|00|3|00|5|00|F|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q10>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00B\x004\x006\x000\x006\x007\x00C\x00-\x00F\x00D\x008\x007\x00-\x004\x009\x00B\x006\x00-\x008\x00D\x00D\x00D\x00-\x001\x002\x00F\x000\x00D\x006\x008\x007\x000\x003\x005\x00F\x00(}\x00)?(?P=q10)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8386 WEB-ACTIVEX RealPlayer Playback Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3B5E0503-DE28-4BE8-919C-76E0E894A3C2"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m11>\x22|\x27|)(?P<id1>.+?)(?P=m11)(\s|>)[^>]*\s*classid\s*=\s*(?P<q28>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B5E0503-DE28-4BE8-919C-76E0E894A3C2\s*}?\s*(?P=q28)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q29>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*3B5E0503-DE28-4BE8-919C-76E0E894A3C2\s*}?\s*(?P=q29)(\s|>)[^>]*\s*id\s*=\s*(?P<m12>\x22|\x27|)(?P<id2>.+?)(?P=m12)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8387 WEB-ACTIVEX RealPlayer RNX Download Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"3|00|B|00|5|00|E|00|0|00|5|00|0|00|3|00|-|00|D|00|E|00|2|00|8|00|-|00|4|00|B|00|E|00|8|00|-|00|9|00|1|00|9|00|C|00|-|00|7|00|6|00|E|00|0|00|E|00|8|00|9|00|4|00|A|00|3|00|C|00|2|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q30>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*3\x00B\x005\x00E\x000\x005\x000\x003\x00-\x00D\x00E\x002\x008\x00-\x004\x00B\x00E\x008\x00-\x009\x001\x009\x00C\x00-\x007\x006\x00E\x000\x00E\x008\x009\x004\x00A\x003\x00C\x002\x00(}\x00)?(?P=q30)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8388 WEB-ACTIVEX RealPlayer RNX Download Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"44CCBCEB-BA7E-4C99-A078-9F683832D493"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m9>\x22|\x27|)(?P<id1>.+?)(?P=m9)(\s|>)[^>]*\s*classid\s*=\s*(?P<q23>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44CCBCEB-BA7E-4C99-A078-9F683832D493\s*}?\s*(?P=q23)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q24>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*44CCBCEB-BA7E-4C99-A078-9F683832D493\s*}?\s*(?P=q24)(\s|>)[^>]*\s*id\s*=\s*(?P<m10>\x22|\x27|)(?P<id2>.+?)(?P=m10)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8389 WEB-ACTIVEX RealPlayer RMP Download Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|4|00|C|00|C|00|B|00|C|00|E|00|B|00|-|00|B|00|A|00|7|00|E|00|-|00|4|00|C|00|9|00|9|00|-|00|A|00|0|00|7|00|8|00|-|00|9|00|F|00|6|00|8|00|3|00|8|00|3|00|2|00|D|00|4|00|9|00|3|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q25>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x004\x00C\x00C\x00B\x00C\x00E\x00B\x00-\x00B\x00A\x007\x00E\x00-\x004\x00C\x009\x009\x00-\x00A\x000\x007\x008\x00-\x009\x00F\x006\x008\x003\x008\x003\x002\x00D\x004\x009\x003\x00(}\x00)?(?P=q25)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8390 WEB-ACTIVEX RealPlayer RMP Download Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"760C4B83-E211-11D2-BF3E-00805FBE84A6"; fast_pattern:only; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*760C4B83-E211-11D2-BF3E-00805FBE84A6/si"; metadata:policy security-ips drop; classtype:attempted-user; 8401 WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID access attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"7|00|6|00|0|00|C|00|4|00|B|00|8|00|3|00|-|00|E|00|2|00|1|00|1|00|-|00|1|00|1|00|D|00|2|00|-|00|B|00|F|00|3|00|E|00|-|00|0|00|0|00|8|00|0|00|5|00|F|00|B|00|E|00|8|00|4|00|A|00|6|00|"; fast_pattern:only; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*7\x006\x000\x00C\x004\x00B\x008\x003\x00-\x00E\x002\x001\x001\x00-\x001\x001\x00D\x002\x00-\x00B\x00F\x003\x00E\x00-\x000\x000\x008\x000\x005\x00F\x00B\x00E\x008\x004\x00A\x006\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; 8402 WEB-ACTIVEX Windows Media Services DRM Storage ActiveX CLSID unicode access 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A1A41E11-91DB-4461-95CD-0C02327FD934"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m15>\x22|\x27|)(?P<id1>.+?)(?P=m15)(\s|>)[^>]*\s*classid\s*=\s*(?P<q38>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1A41E11-91DB-4461-95CD-0C02327FD934\s*}?\s*(?P=q38)(\s|>).*(?P=id1)\s*\.\s*(Console|Controls)|<object\s*[^>]*\s*classid\s*=\s*(?P<q39>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1A41E11-91DB-4461-95CD-0C02327FD934\s*}?\s*(?P=q39)(\s|>)[^>]*\s*id\s*=\s*(?P<m16>\x22|\x27|)(?P<id2>.+?)(?P=m16)(\s|>).*(?P=id2)\s*\.\s*(Console|Controls))\s*=/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8409 WEB-ACTIVEX RealPlayer Stream Handler ActiveX clsid access www.kb.cert.org/vuls/id/831457 28157 attempted-user 2008-1309 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"A|00|1|00|A|00|4|00|1|00|E|00|1|00|1|00|-|00|9|00|1|00|D|00|B|00|-|00|4|00|4|00|6|00|1|00|-|00|9|00|5|00|C|00|D|00|-|00|0|00|C|00|0|00|2|00|3|00|2|00|7|00|F|00|D|00|9|00|3|00|4|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q40>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*A\x001\x00A\x004\x001\x00E\x001\x001\x00-\x009\x001\x00D\x00B\x00-\x004\x004\x006\x001\x00-\x009\x005\x00C\x00D\x00-\x000\x00C\x000\x002\x003\x002\x007\x00F\x00D\x009\x003\x004\x00(}\x00)?(?P=q40)(?=\s\x00|>\x00)/si"; metadata:policy security-ips alert, service http; classtype:attempted-user; 8410 WEB-ACTIVEX RealPlayer Stream Handler ActiveX clsid unicode access www.kb.cert.org/vuls/id/831457 misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"FLV|01|"; content:"|00 00 00 09|"; within:4; distance:1; flowbits:set,flv.xfer; flowbits:noalert; classtype:misc-activity; 912182 POLICY Adobe FLV file transfer 20138 attempted-user 2006-4965 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<?xml version"; nocase; content:"<?quicktime type=|22|application/x-quicktime-media-link"; distance:0; nocase; pcre:"/<embed[^>]*javascript/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9429 WEB-CLIENT Quicktime Movie link scripting security bypass attempt 20138 attempted-user 2006-4965 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<?xml version"; nocase; content:"<?quicktime type=|22|application/x-quicktime-media-link"; distance:0; nocase; content:"qtnext=|22|file"; distance:0; nocase; metadata:policy security-ips drop; classtype:attempted-user; 9430 WEB-CLIENT Quicktime Movie link file URI security bypass attempt 21247 attempted-user 2006-6134 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<ref"; nocase; content:"href"; distance:0; nocase; pcre:"/<ref\s+href\s*=\s*\x22([^\x22]{2}|(\x25[0-9A-Z]{2}){1,2})\x3A\x2F[^\x22]{100}/smi"; metadata:policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 9625 WEB-CLIENT Windows Media Player ASX file ref href buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms06-078.mspx 21453 attempted-user 2006-5856 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<?aom"; nocase; content:"<url>"; isdataat:271; content:!"</url>"; within:271; nocase; metadata:policy security-ips drop; classtype:attempted-user; 9637 WEB-CLIENT Adobe Download Manger dm.ini stack overflow attempt attempted-user 2006-4702 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|90 08 00|3|B1 E5 CF 11 89 F4 00 A0 C9 03|I|CB|"; byte_test:4,>,715827882,36,relative,little; metadata:policy security-ips drop; classtype:attempted-user; 9641 WEB-CLIENT Windows Media Player ASF simple index object parsing buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS06-078.mspx attempted-user 2006-4702 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"@R|D1 86 1D|1|D0 11 A3 A4 00 A0 C9 03|H|F6|"; byte_test:4,>,134217727,24,relative,little; metadata:policy security-ips drop; classtype:attempted-user; 9642 WEB-CLIENT Windows Media Player ASF codec list object parsing buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS06-078.mspx attempted-user 2006-4702 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|01 CD 87 F4|Q|A9 CF 11 8E E6 00 C0 0C| Se"; byte_test:4,>,134217727,24,relative,little; metadata:policy security-ips drop; classtype:attempted-user; 9643 WEB-CLIENT Windows Media Player ASF marker object parsing buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS06-078.mspx 21802 attempted-user 2006-6847 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"405DE7C0-E7DD-11D2-92C5-00C0F01F77C1"; fast_pattern:only; nocase; pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*405DE7C0-E7DD-11D2-92C5-00C0F01F77C1\s*}?\s*\1/si"; metadata:policy security-ips drop; classtype:attempted-user; 9671 WEB-ACTIVEX RealPlayer AutoStream.AutoStream.1 ActiveX clsid access 21802 attempted-user 2006-6847 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|0|00|5|00|D|00|E|00|7|00|C|00|0|00|-|00|E|00|7|00|D|00|D|00|-|00|1|00|1|00|D|00|2|00|-|00|9|00|2|00|C|00|5|00|-|00|0|00|0|00|C|00|0|00|F|00|0|00|1|00|F|00|7|00|7|00|C|00|1|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x000\x005\x00D\x00E\x007\x00C\x000\x00-\x00E\x007\x00D\x00D\x00-\x001\x001\x00D\x002\x00-\x009\x002\x00C\x005\x00-\x000\x000\x00C\x000\x00F\x000\x001\x00F\x007\x007\x00C\x001\x00(}\x00)?\5/si"; metadata:policy security-ips drop; classtype:attempted-user; 9672 WEB-ACTIVEX RealPlayer AutoStream.AutoStream.1 ActiveX clsid unicode access 21802 attempted-user 2006-6847 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"AutoStream.AutoStream.1"; fast_pattern:only; pcre:"/(\w+)\s*=\s*(\x22AutoStream.AutoStream.1\x22|\x27AutoStream.AutoStream.1\x27)\s*\x3b.*\w+\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)|\w+\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22AutoStream.AutoStream.1\x22|\x27AutoStream.AutoStream.1\x27)\s*\)/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9673 WEB-ACTIVEX RealPlayer AutoStream.AutoStream.1 ActiveX function call access 21612 attempted-dos 2006-6601 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MThd"; content:"|00 00 00 00 00 00|"; within:6; distance:4; metadata:policy security-ips drop; classtype:attempted-dos; 9801 WEB-CLIENT Windows Media Player or Explorer Malformed RIFF File denial of service attempt www.milw0rm.com/exploits/3190 21829 attempted-user 2007-0015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"rtsp|3A|//"; nocase; pcre:"/(=\s*(('|\x22)rtsp\x3A[^\3]{200}|rstp\x3A[^\s\x3E]{200})|\x3Csrc\x3Ertsp\x3A[^\x3C]{200})/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9823 WEB-CLIENT QuickTime RTSP URI overflow attempt applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html misc-activity 2007-0059 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.quicktime; content:"> T<"; fast_pattern:only; pcre:"/A?<\s*([A-Za-z]{3,5}\x3A\x2F\x2F|javascript\x3a)[^>]+> T</sm"; metadata:policy security-ips drop, service http; classtype:misc-activity; 9840 WEB-CLIENT QuickTime HREF Track Detected www.apple.com/quicktime/tutorials/hreftracks.html 340 Client / Multimedia 26586 attempted-user 2008-3066 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"I|00|E|00|R|00|P|00|C|00|t|00|l|00|.|00|I|00|E|00|R|00|P|00|C|00|t|00|l|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q5>\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q5)(\s|>)(\s\x00)*\)\x00/Osmi"; classtype:attempted-user; 12663 WEB-ACTIVEX RealPlayer Ierpplug.dll ActiveX function call unicode access 26214 attempted-user 2007-5080 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"LYRICSBEGIN"; nocase; pcre:"/(EAL|EAR|ETT)\s*-0{0,4}1/i"; classtype:attempted-user; 12707 WEB-CLIENT RealNetworks RealPlayer lyrics heap overflow attempt 26549 attempted-user 2007-6166 tcp $EXTERNAL_NET 554 -> $HOME_NET any flow:to_client,established; content:"RTSP"; depth:4; fast_pattern; content:"Content-Type"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/Content-Type\s*\x3A[^\n\x3A]{256}/smi"; metadata:service rtsp; classtype:attempted-user; 12741 EXPLOIT Apple Quicktime TCP RTSP sdp type buffer overflow attempt 15306 attempted-user 2005-2753 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.quicktime; content:"text"; byte_test:1,>=,251,49,relative; metadata:service http; classtype:attempted-user; 13919 WEB-CLIENT Apple QuickTime MOV file string handling integer overflow attempt attempted-user 2008-3008 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14256; 14256 WEB-ACTIVEX Windows Media Encoder 9 ActiveX clsid unicode access www.microsoft.com/technet/security/bulletin/MS08-053.mspx attempted-user 2008-3008 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14258; 14258 WEB-ACTIVEX Windows Media Encoder 9 ActiveX function call unicode access www.microsoft.com/technet/security/bulletin/MS08-053.mspx attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|15914, service http, policy balanced-ips drop, policy connectivity-ips drop; 15914 WEB-CLIENT Microsoft Windows Media sample duration header RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|15915, service http, policy balanced-ips drop, policy connectivity-ips drop; 15915 WEB-CLIENT Microsoft Windows Media Timecode header RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|15916, service http, policy balanced-ips drop, policy connectivity-ips drop; 15916 WEB-CLIENT Microsoft Windows Media file name header RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|15917, service http, policy balanced-ips drop, policy connectivity-ips drop; 15917 WEB-CLIENT Microsoft Windows Media content type header RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|15918, service http, policy balanced-ips drop, policy connectivity-ips drop; 15918 WEB-CLIENT Microsoft Windows Media pixel aspect ratio header RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|15919, service http, policy balanced-ips drop, policy connectivity-ips drop; 15919 WEB-CLIENT Microsoft Windows Media encryption sample ID header RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx misc-activity 2009-3951 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; metadata: engine shared, soid 3|16315, service http; 16315 WEB-MISC Adobe Flash PlugIn check if file exists attempt attempted-user 2009-3794 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.swf; metadata: engine shared, soid 3|16331; 16331 WEB-CLIENT Adobe Flash Player JPEG parsing heap overflow attempt attempted-user 2009-2498 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.asf; metadata: engine shared, soid 3|16338, service http, policy balanced-ips drop, policy connectivity-ips drop; 16338 WEB-CLIENT Microsoft Windows Media extended stream properties object RCE attempt www.microsoft.com/technet/security/bulletin/ms09-047.mspx 37759 attempted-user 2009-3958 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16372; 16372 WEB-ACTIVEX NOS Microsystems Adobe atl_getcom ActiveX clsid unicode access www.adobe.com/support/security/bulletins/apsb10-02.html attempted-admin 2010-0196 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16544; 16544 WEB-CLIENT Adobe Reader Linux malformed U3D mesh deceleration block exploit attempt attempted-admin 2010-0197 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16545; 16545 WEB-CLIENT Adobe Reader malformed Richmedia annotation exploit attempt 26960 misc-activity 2007-6244 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|11 BA EE 66 DA B8 6C D6 A9 D7 D9 C2 DB F0 26 7D|"; fast_pattern:only; metadata:service http; classtype:misc-activity; 17223 SPECIFIC-THREATS Adobe Flash Player navigateToURL cross-site scripting attempt 15334 attempted-user 2005-2628 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"FWS|06|"; within:4; content:"|43 02|"; within:27; byte_test:1,<,64,3,relative; content:"|03|"; within:1; distance:4; pcre:"/^(\x9B|\x8E)/R"; metadata:service http; classtype:attempted-user; 17457 WEB-CLIENT Macromedia Flash ActionDefineFunction memory access vulnerability exploit attempt 35282 attempted-user 2009-1855 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/robohelp/robo/reserved/web/"; nocase; http_uri; content:".jsp"; nocase; http_uri; pcre:"/\x2frobohelp\x2frobo\x2freserved\x2fweb\x2f[^\r\n]{0,60}\x2Ejsp/Ui"; classtype:attempted-user; 17529 SPECIFIC-THREATS Adobe RoboHelp Server Arbitrary File Upload and Execute 9579 attempted-user 2005-0755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; classtype:attempted-user; 2438 WEB-CLIENT RealPlayer playlist file URL overflow attempt 9579 attempted-user 2005-0755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; classtype:attempted-user; 2439 WEB-CLIENT RealPlayer playlist http URL overflow attempt 9579 attempted-user 2005-0755 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; classtype:attempted-user; 2440 WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt 9735 web-application-attack 2004-0169 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; metadata:service http; classtype:web-application-attack; 2442 WEB-MISC Quicktime User-Agent buffer overflow attempt attempted-user tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; classtype:attempted-user; 2550 EXPLOIT winamp XM module name overflow www.nextgenss.com/advisories/winampheap.txt 11730 attempted-user 2004-1119 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; classtype:attempted-user; 3088 WEB-CLIENT winamp .cda file name overflow attempt 15817 11309 attempted-admin 2004-1481 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:".RMF"; nocase; content:"VIDORV30"; distance:0; byte_test:4,>,1000000,-16,relative; classtype:attempted-admin; 3470 WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow www.eeye.com/html/research/advisories/AD20041001.html 12096 web-application-attack 2004-1373 tcp $EXTERNAL_NET any -> $HOME_NET 8000 flow:established,to_server; content:"/content/"; fast_pattern:only; pcre:"/\/content\/[^\r\n\x20]*\x2emp3/smi"; classtype:web-application-attack; 4131 EXPLOIT SHOUTcast URI format string attempt 15308 attempted-user 2005-2754 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"video/quicktime"; nocase; http_header; pcre:"/^Content-Type\x3A\s*video\x2Fquicktime/smiH"; content:"hdlr"; nocase; byte_test:1,>,250,24,relative; classtype:attempted-user; 4680 WEB-CLIENT quicktime movie file component name integer overflow attempt docs.info.apple.com/article.html?artnum=302772 11271 attempted-admin 2004-1561 tcp $EXTERNAL_NET any -> $HOME_NET 8000 flow:to_server,established; content:"HTTP/1."; nocase; pcre:"/HTTP\/1\.[01].*?\n([^\r\n]+?\r?\n){32}/i"; metadata:service http; classtype:attempted-admin; 8701 WEB-MISC IceCast header buffer overflow attempt archives.neohapsis.com/archives/bugtraq/2004-09/0366.html 11271 attempted-admin 2004-1561 tcp $EXTERNAL_NET any -> $HOME_NET 8000 flow:to_server,established; content:"|EB 0C| / HTTP/1.1 "; nocase; pcre:"/\xeb\x0c \/ HTTP\/1\.1\s+\S+/smi"; classtype:attempted-admin; 8702 EXPLOIT IceCast header buffer overflow attempt archives.neohapsis.com/archives/bugtraq/2004-09/0366.html 11271 attempted-admin 2004-1561 tcp $EXTERNAL_NET any -> $HOME_NET 8000 flow:to_server,established; content:"GET / HTTP/1.0|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|a|0D 0A|"; fast_pattern:only; classtype:attempted-admin; 8703 EXPLOIT IceCast header buffer overflow attempt archives.neohapsis.com/archives/bugtraq/2004-09/0366.html misc-attack 2007-0045 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".pdf|23|"; nocase; pcre:"/\x2Epdf\x23[^\r\n]+\x3Djavascript\x3A/smi"; classtype:misc-attack; 9842 WEB-CLIENT Adobe Acrobat Plugin Universal cross-site scripting attempt isc.sans.org/diary.php?storyid=1999 350 Client / Peer to Peer 26748 attempted-user 2007-5989 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"skype4com|3A|"; fast_pattern:only; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13292 EXPLOIT Skype skype4com URI handler memory corruption attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 4244 flow:to_server,established; content:"PASS gooback"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 15939 SPECIFIC-THREATS MSN Messenger IRC bot calling home attempt www.threatexpert.com/report.aspx?md5=19bffa751aafa9e63420203938a0d8a9 38699 misc-attack tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"skype|3A|"; nocase; pcre:"/\x3Ca\s+[^\x3E]*href\s*\x3D\s*(\x22|\x27)?skype\x3A[^\s\x3E]*[\x01-\x07]/i"; metadata:policy security-ips drop, service http; classtype:misc-attack; 16718 EXPLOIT Skype URI handler input validation exploit attempt security-assessment.com/files/advisories/Skype_URI_Handling_Vulnerability.pdf 36459 attempted-user 2009-4741 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"42481700-CF3C-4D05-8EC6-F9A1C57E8DC0"; fast_pattern:only; nocase; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42481700-CF3C-4D05-8EC6-F9A1C57E8DC0\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(RegisterWindow)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*42481700-CF3C-4D05-8EC6-F9A1C57E8DC0\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\s*\.\s*(RegisterWindow))\s*=/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17674 WEB-ACTIVEX Skype Extras Manager ActiveX clsid access 36459 attempted-user 2009-4741 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"4|00|2|00|4|00|8|00|1|00|7|00|0|00|0|00|-|00|C|00|F|00|3|00|C|00|-|00|4|00|D|00|0|00|5|00|-|00|8|00|E|00|C|00|6|00|-|00|F|00|9|00|A|00|1|00|C|00|5|00|7|00|E|00|8|00|D|00|C|00|0|00|"; fast_pattern:only; nocase; pcre:"/<\x00o\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*(?P<q3>\x22\x00|\x27\x00|)c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*({\x00)?(\s\x00)*4\x002\x004\x008\x001\x007\x000\x000\x00-\x00C\x00F\x003\x00C\x00-\x004\x00D\x000\x005\x00-\x008\x00E\x00C\x006\x00-\x00F\x009\x00A\x001\x00C\x005\x007\x00E\x008\x00D\x00C\x000\x00(}\x00)?(?P=q3)(?=\s\x00|>\x00)/siO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17675 WEB-ACTIVEX Skype Extras Manager ActiveX clsid unicode access 36459 attempted-user 2009-4741 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ezPMUtils.WindowGroup"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)\s*=\s*(\x22ezPMUtils\.WindowGroup(\.\d)?\x22|\x27ezPMUtils\.WindowGroup(\.\d)?\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)(\s*\.\s*RegisterWindow\s*|.*(?P=v)\s*\.\s*RegisterWindow\s*)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ezPMUtils\.WindowGroup(\.\d)?\x22|\x27ezPMUtils\.WindowGroup(\.\d)?\x27)\s*\)(\s*\.\s*RegisterWindow\s*|.*(?P=n)\s*\.\s*RegisterWindow)\s*=/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17676 WEB-ACTIVEX Skype Extras Manager ActiveX function call access 36459 attempted-user 2009-4741 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"e|00|z|00|P|00|M|00|U|00|t|00|i|00|l|00|s|00|.|00|W|00|i|00|n|00|d|00|o|00|w|00|G|00|r|00|o|00|u|00|p|00|"; fast_pattern:only; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q4>\x22|\x27|)e\x00z\x00P\x00M\x00U\x00t\x00i\x00l\x00s\x00.\x00W\x00i\x00n\x00d\x00o\x00w\x00G\x00r\x00o\x00u\x00p\x00(\.\x00\d\x00)?(?P=q4)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*=\x00(\s\x00)*n\x00e\x00w\x00(\s\x00)*A\x00c\x00t\x00i\x00v\x00e\x00X\x00O\x00b\x00j\x00e\x00c\x00t\x00(\s\x00)*\(\x00(\s\x00)*(?P<q5>\x22|\x27|)e\x00z\x00P\x00M\x00U\x00t\x00i\x00l\x00s\x00.\x00W\x00i\x00n\x00d\x00o\x00w\x00G\x00r\x00o\x00u\x00p\x00(\.\x00\d\x00)?(?P=q5)(\s|>)(\s\x00)*\)\x00/smiO"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17677 WEB-ACTIVEX Skype Extras Manager ActiveX function call unicode access trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 1863 flow:to_server,established; content:"http|3A|//www.home.no/"; nocase; content:"/jituxramon.exe"; distance:0; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9380 SPECIFIC-THREATS jitux msn messenger propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-123116-3525-99&tabid=2 360 Client / Instant Messenger 10889 misc-attack 2004-0636 tcp $EXTERNAL_NET [80,8080] -> $HOME_NET any flow:established,from_server; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; classtype:misc-attack; 3085 EXPLOIT AIM goaway message buffer overflow attempt 10872 attempted-user 2004-0957 tcp $EXTERNAL_NET 1863 -> $HOME_NET any flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; classtype:attempted-user; 3130 EXPLOIT MSN Messenger png overflow www.microsoft.com/technet/security/bulletin/MS05-009.mspx 400 Protocol Anomaly trojan-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:0; content:"pslist"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 10107 BACKDOOR icmp cmd 1.0 runtime detection - pslist www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250 trojan-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:0; content:"pskill"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 10108 BACKDOOR icmp cmd 1.0 runtime detection - pskill www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250 trojan-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:8; content:"Pinging from Delphi code written by F. Piette"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 10452 BACKDOOR only 1 rat runtime detection - icmp request research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632 attempted-admin 2007-0066 icmp $HOME_NET any -> 224.0.0.1 any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13288, policy balanced-ips drop, policy security-ips drop; 13288 BAD-TRAFFIC Windows remote kernel tcp/ip icmp vulnerability exploit attempt www.microsoft.com/technet/security/Bulletin/MS08-001.mspx attempted-admin 2010-0239 icmp $EXTERNAL_NET any -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16405, policy security-ips drop; 16405 ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-009.mspx attempted-admin 2010-0241 icmp $EXTERNAL_NET any -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|18249, policy security-ips drop; 18249 ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS10-009.mspx trojan-activity icmp $HOME_NET any -> $EXTERNAL_NET any itype:0; content:"This is made by yyt_hac!"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 6128 BACKDOOR dkangel runtime detection - icmp echo reply client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278 410 Protocol Anomaly / Invalid Traffic misc-activity icmp $EXTERNAL_NET any -> $HOME_NET any content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; 1813 ICMP digital island bandwidth query attempted-dos 2000-0138 icmp $EXTERNAL_NET any -> $HOME_NET any icmp_id:0; itype:0; content:"AAAAAAAAAA"; fast_pattern:only; classtype:attempted-dos; 222 DDOS tfn2k icmp possible communication 9952 attempted-admin 2004-0367 ip any any -> any any ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; classtype:attempted-admin; 2462 EXPLOIT IGMP IGAP account overflow attempt 9952 attempted-admin 2004-0367 ip any any -> any any ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; classtype:attempted-admin; 2463 EXPLOIT IGMP IGAP message overflow attempt 514 attempted-dos 1999-0918 ip $EXTERNAL_NET any -> $HOME_NET any fragbits:M+; ip_proto:2; classtype:attempted-dos; 272 DOS IGMP dos attack www.microsoft.com/technet/security/bulletin/MS99-034.mspx 13124 attempted-dos 2004-1060 icmp $EXTERNAL_NET any -> $HOME_NET any itype:3; icode:4; byte_test:2,<,576,2; classtype:attempted-dos; 3626 ICMP PATH MTU denial of service attempt attempted-recon icmp $EXTERNAL_NET any -> $HOME_NET any itype:8; content:"ISSPNGRQ"; depth:32; classtype:attempted-recon; 465 ICMP ISS Pinger attempted-recon icmp $EXTERNAL_NET any -> $HOME_NET any dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; classtype:attempted-recon; 467 ICMP Nemesis v1.1 Echo attempted-recon icmp $EXTERNAL_NET any -> $HOME_NET any icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; fast_pattern:only; classtype:attempted-recon; 476 ICMP webtrends scanner misc-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; 480 ICMP PING speedera misc-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:8; content:"TJPingPro by Jim"; depth:32; classtype:misc-activity; 481 ICMP TJPingPro1.1Build 2 Windows misc-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:8; content:"WhatsUp - A Netw"; depth:32; classtype:misc-activity; 482 ICMP PING WhatsupGold Windows misc-activity icmp $EXTERNAL_NET any -> $HOME_NET any itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; 484 ICMP PING Sniffer Pro/NetXRay network scan 420 Protocol Anomaly / ICMP 430 Protocol Anomaly / IGMP 440 Protocol Anomaly / RPC 450 Protocol Anomaly / Misc 2126 attempted-recon 1999-1069 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:policy security-ips drop, service http; classtype:attempted-recon; 1001 WEB-MISC carbo.dll access 16476 attempted-user 2006-0295 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"location.QueryInterface"; nocase; content:"Components.interfaces.nsIClassInfo"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 10063 WEB-CLIENT Firefox query interface suspicious function call access attempt www.mozilla.org/security/announce/2006/mfsa2006-04.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/connect.php"; nocase; http_uri; content:"N="; nocase; http_uri; content:"Zango"; nocase; http_uri; content:"Messenger"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.easymessage.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eeasymessage\x2Enet/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 10090 SPYWARE-PUT Trickler zango easymessenger runtime detection www.spywareguide.com/product_show.php?id=2182 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"|B0 AE B6 F9 CD F8 B5 C1|"; distance:0; nocase; pcre:"/^X-Mailer\x3a\s+\xb0\xae\xb6\xf9\xcd\xf8\xb5\xc1/smi"; metadata:policy security-ips alert; classtype:misc-activity; 10091 SPYWARE-PUT Hacker-Tool spylply.a runtime detection db.kingsoft.com/virus/forecast/2005/06/08/43198.shtml successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"referer="; nocase; http_uri; content:"show="; nocase; http_uri; content:"Host|3A| bar-navig.yandex.ru"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 10092 SPYWARE-PUT Trackware russian searchbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453079056 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/gd_ad.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolsbar.kuaiso.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*toolsbar\x2Ekuaiso\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 10093 SPYWARE-PUT Hijacker kuaiso toolbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098930 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/send"; nocase; http_uri; content:"type="; nocase; http_uri; content:"pop_rule_id="; nocase; http_uri; content:"n="; nocase; http_uri; content:"Host|3A| www.borlander.com.cn"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 10094 SPYWARE-PUT Adware borlan runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097501 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/pra.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bydou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ebydou\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10095 SPYWARE-PUT Trackware bydou runtime detection bbs.360safe.com/viewthread.php?tid=58707 successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:from_server,established; content:"KEY"; depth:3; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 10096 SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - keylog www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 456 flow:to_server,established; content:"info"; depth:4; nocase; flowbits:set,Win32.RemoteKeylog.b.info; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 10097 SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Win32.RemoteKeylog.b.info; content:"Product"; depth:7; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 10098 SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - get system info www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 456 flow:to_server,established; content:"url"; depth:3; nocase; flowbits:set,Win32.RemoteKeylog.b.website; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 10099 SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Win32.RemoteKeylog.b.website; content:"WNDMicrosoft"; depth:12; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 10100 SPYWARE-PUT Keylogger win32.remotekeylog.b runtime detection - open website www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6969 flow:to_server,established; content:"delete|7C|"; depth:7; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10101 BACKDOOR crossfires trojan 3.0 runtime detection - delete file www.megasecurity.org/trojans/c/crossfires/Crossfires.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6969 flow:to_server,established; content:"chat|7C|"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10102 BACKDOOR crossfires trojan 3.0 runtime detection - chat with victim www.megasecurity.org/trojans/c/crossfires/Crossfires.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"getinfo"; depth:7; nocase; flowbits:set,HavRat_pcinfo1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10103 BACKDOOR hav-rat 1.1 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,HavRat_pcinfo1; content:"User|3A|"; depth:5; nocase; flowbits:set,HavRat_pcinfo2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10104 BACKDOOR hav-rat 1.1 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,HavRat_pcinfo2; content:"StartPage|3A|"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10105 BACKDOOR hav-rat 1.1 runtime detection - retrieve pc info www.megasecurity.org/trojans/h/hav/Havrat1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"SndInfo"; depth:7; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10109 BACKDOOR k-msnrat 1.0.0 runtime detection - init connection www.megasecurity.org/trojans/k/kmsnrat/Kmsnrat1.0.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|F6 13 00 00|"; depth:4; flowbits:set,PoisonIvy_init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10110 BACKDOOR poison ivy 2.1.2 runtime detection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; flowbits:isset,PoisonIvy_init; content:"U|8B EC|P|B8 02 00 00 00 81 C4 04 F0 FF FF|"; depth:15; metadata:policy security-ips drop; classtype:trojan-activity; 10111 BACKDOOR poison ivy 2.1.2 runtime detection - init connection www.megasecurity.org/trojans/p/poisonivy/Poisonivy2.1.2.html trojan-activity tcp $HOME_NET 8812 -> $EXTERNAL_NET any flow:from_server,established; content:"connected"; depth:9; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10112 BACKDOOR rix3 1.0 runtime detection - init connection www.megasecurity.org/trojans/r/rix3/Rix3_1.0.html trojan-activity udp $HOME_NET 4000 -> $EXTERNAL_NET any flow:to_server; content:"|E3 0C|"; depth:2; content:"|00 00 00 00 A0 0F 00|"; depth:7; offset:18; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert; classtype:trojan-activity; 10113 BOTNET-CNC Trojan Peacomm command and control propagation detected trojan-activity udp $HOME_NET 7871 -> $EXTERNAL_NET any flow:to_server; content:"|E3 0C|"; depth:2; content:"|00 00 00 00 A0 0F 00|"; depth:7; offset:18; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert; classtype:trojan-activity; 10114 BOTNET-CNC Trojan Peacomm command and control propagation detected 22146 misc-attack 2007-0021 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"aim|3A|GoChat?"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 10116 WEB-CLIENT AIM GoChat URL access attempt projects.info-pull.com/moab/MOAB-20-01-2007.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/SetIE/SetIE.txt"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 10164 SPYWARE-PUT Adware adclicker-ej runtime detection vil.nai.com/vil/content/v_139523.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A D0 C5 CF A2|"; fast_pattern:only; content:"Subject|3A|"; nocase; pcre:"/^From\x3a\xd0\xc5\xcf\xa2.*Subject\x3a[^\r\n]*\d+\x2d\d+\x2d\d+\x2d\d+\x3a\d+\x3a\d+/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 10165 SPYWARE-PUT Keylogger mybr Keylogger runtime detection www.hack77.com/Soft/hkgj/jpjl/200701/2844.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sszsex.html"; nocase; http_uri; content:"src="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"client.baigoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*client\x2Ebaigoo\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10166 SPYWARE-PUT Trackware baigoo runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098801 trojan-activity tcp $HOME_NET 201 -> $EXTERNAL_NET any flow:from_server,established; content:"OK "; depth:16; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 10168 BACKDOOR one runtime detection www.megasecurity.org/trojans/o/one/One0.12b.html trojan-activity udp $EXTERNAL_NET 1275 -> $HOME_NET 1276 content:"RequestConnect"; depth:14; metadata:policy security-ips alert; classtype:trojan-activity; 10169 BACKDOOR matrix 1.03 by mtronic runtime detection - init connection www.megasecurity.org/trojans/m/matrix/Matrix1.03.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"BysooTB"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*BysooTB/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10179 SPYWARE-PUT Trackware bysoo runtime detection www.360safe.com/elist.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cm"; http_uri; content:"toolbar.eqiso.com"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 10180 SPYWARE-PUT Adware eqiso runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Eqiso&threatid=88999 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"SystemSleuth"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*SystemSleuth/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10181 SPYWARE-PUT Keylogger systemsleuth runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097306 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cliententry/"; fast_pattern; nocase; http_uri; content:"X-TITLE|3A|"; nocase; http_header; content:"X-KEYWORD|3A|"; nocase; http_header; content:"X-ADLIST|3A|"; nocase; http_header; content:"X-COMMAND|3A|"; nocase; http_header; content:"X-CLIENTID|3A|"; nocase; http_header; content:"X-TARGETURL|3A|"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 10182 SPYWARE-PUT Adware newweb runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097957 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Activity"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Logs"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Activity[^\r\n]*Keylogger[^\r\n]*Logs/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10183 SPYWARE-PUT Keylogger activity Keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097325 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"R|00|23"; depth:4; metadata:policy security-ips alert; classtype:trojan-activity; 10184 BACKDOOR wow 23 runtime detection www.megasecurity.org/trojans/0_9/23/23_0.3.html 22487 attempted-admin 2007-0446 tcp $EXTERNAL_NET any -> $HOME_NET 54345 flow:established,to_server; content:"|00 00 00 05 00 00 00 01|"; byte_jump:4, -12, relative; byte_jump:4, 4, relative, align; byte_test:4, >, 1132, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 10187 EXPLOIT HP Mercury Loadrunner command line buffer overflow trojan-activity tcp $HOME_NET any -> 85.17.3.250 80 flow:established,to_server; content:"cmp=dun_tek"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 10403 BOTNET-CNC Trojan.Duntek Checkin GET Request www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=2 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/hzyt/client/procpost.aspx"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ccnnlc.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eccnnlc\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 10435 SPYWARE-PUT Trackware admedia runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098012 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"mail"; distance:0; nocase; content:"function"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*mail\s+function/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 10436 SPYWARE-PUT Keylogger keyspy runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=3266 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates/checkversion.php"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.myarmory.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emyarmory\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 10437 SPYWARE-PUT Hijacker bazookabar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073886 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates/checkversion.php"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.myarmory.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emyarmory\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 10438 SPYWARE-PUT Hijacker bazookabar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073886 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/starts.asp"; nocase; http_uri; content:"ids="; nocase; http_uri; content:"webid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ad.mokead.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ad\x2Emokead\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 10439 SPYWARE-PUT Adware mokead runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453101519 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"PC"; distance:0; nocase; content:"Black"; distance:0; nocase; content:"Box"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*PC[^\r\n]*Black[^\r\n]*Box/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 10440 SPYWARE-PUT Keylogger pc black box runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=PC%20Black%20Box&threatid=117239 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 4973 flow:to_server,established; content:"|F9 14|"; depth:2; content:"|B3 B3 84 86 83 83 F5 B3 B3 B3|"; within:10; distance:110; metadata:policy security-ips alert; classtype:misc-activity; 10441 SPYWARE-PUT Hacker-Tool statwin runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098082 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; dsize:<20; content:"|AC|kC|3A 5C|"; metadata:policy security-ips drop; classtype:trojan-activity; 10442 BACKDOOR nirvana 2.0 runtime detection - explore c drive www.megasecurity.org/trojans/n/nirvana/Nirvana2.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 32418 flow:to_server,established; content:"SNIFF/"; depth:6; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 10443 BACKDOOR acidbattery 1.0 runtime detection - sniff info www3.ca.com/securityadvisor/pest/pest.aspx?id=109 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 32418 flow:to_server,established; content:"SERVER/NFO"; depth:10; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 10446 BACKDOOR acidbattery 1.0 runtime detection - get server info www3.ca.com/securityadvisor/pest/pest.aspx?id=109 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/wwp/msg/1,,,00.html"; nocase; http_uri; content:"Uin=223220036"; nocase; http_uri; content:"Name=51D"; nocase; http_uri; content:"Send="; nocase; http_uri; metadata:policy security-ips alert; classtype:trojan-activity; 10447 BACKDOOR 51d 1b runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453084229 trojan-activity tcp $HOME_NET 2612 -> $EXTERNAL_NET any flow:from_server,established; content:"connect_"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10448 BACKDOOR acessor 2.0 runtime detection - init connection www.megasecurity.org/trojans/a/acessor/Acessor2.0.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|1B|[2J|1B|[40m|1B|[37mAcid"; depth:18; nocase; content:"Shiver"; distance:0; nocase; content:"System"; distance:0; nocase; content:"Release"; distance:0; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10449 BACKDOOR acid shivers runtime detection - init telnet connection www3.ca.com/securityadvisor/pest/pest.aspx?id=112 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"D41D8CD98F00B204E9800998ECF8427E"; depth:34; flowbits:set,Only1RAT_Control; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10450 BACKDOOR only 1 rat runtime detection - control command trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,Only1RAT_Control; content:"|7C FF 00 FF 00 FF 00 FF 00 FF 00 FF 0D 0A|"; metadata:policy security-ips alert; classtype:trojan-activity; 10451 BACKDOOR only 1 rat runtime detection - control command research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632 trojan-activity tcp $HOME_NET 5600 -> $EXTERNAL_NET any flow:from_server,established; content:"Connected"; depth:9; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10454 BACKDOOR [x]-ztoo 1.0 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 5600 flow:to_server,established; content:"GetInfo"; depth:7; nocase; flowbits:set,XZTOO_Getinfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10455 BACKDOOR [x]-ztoo 1.0 runtime detection - get system info trojan-activity tcp $HOME_NET 5600 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,XZTOO_Getinfo; content:"Info|3B|"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10456 BACKDOOR [x]-ztoo 1.0 runtime detection - get system info www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134 trojan-activity tcp $HOME_NET 5600 -> $EXTERNAL_NET any flow:from_server,established; content:"LogStarted"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10457 BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 5024 flow:to_server,established; content:"[LOAD DRIVE DATA]"; depth:17; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10458 BACKDOOR [x]-ztoo 1.0 or illusion runtime detection - open file manager www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"WinEggDropShell"; depth:15; offset:28; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10459 BACKDOOR wineggdrop shell pro runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077750 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3132 flow:to_server,established; content:"000"; depth:3; flowbits:set,Winicabras_getinfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10460 BACKDOOR winicabras 1.1 runtime detection - get system info trojan-activity tcp $HOME_NET 3132 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Winicabras_getinfo; content:"|0D 0A|==INFORMACION"; depth:15; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10461 BACKDOOR winicabras 1.1 runtime detection - get system info www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12667 flow:to_server,established; content:"DRIVE"; depth:5; nocase; flowbits:set,Winicabras_explorer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 10462 BACKDOOR winicabras 1.1 runtime detection - explorer trojan-activity tcp $HOME_NET 12667 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Winicabras_explorer; content:"DRIVE"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 10463 BACKDOOR winicabras 1.1 runtime detection - explorer www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html 23371 attempted-admin 2007-1204 tcp $EXTERNAL_NET any -> $HOME_NET 2869 flow:to_server,established; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^(UN)?SUBSCRIBE\s/smi"; pcre:"/^(NT|CallBack|SID|TimeOut)\s*\x3a\s*[^\n]{512}/Rsmi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 10475 MISC UPNP notification type overflow attempt www.microsoft.com/technet/security/bulletin/MS07-019.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03 00|"; depth:3; offset:2; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 10996 WEB-MISC SSLv3 Client_Hello request 22743 denial-of-service 2007-1005 tcp $EXTERNAL_NET any -> $HOME_NET 9191 flow:established,to_server; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,0,relative, little; metadata:policy security-ips drop; classtype:denial-of-service; 11185 DOS CA eTrust key handling dos -- username 13368 attempted-admin 2005-0684 tcp $EXTERNAL_NET any -> $HOME_NET 9999 flow:to_server,established; content:"GET"; isdataat:500,relative; content:!"|0A|"; within:500; metadata:policy security-ips drop; classtype:attempted-admin; 11196 EXPLOIT MaxDB WebDBM get buffer overflow successful-recon-limited udp $HOME_NET 8765 -> 255.255.255.255 8765 flow:to_server; content:"ChildWebGuardian|3A|"; depth:17; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 11306 SPYWARE-PUT Snoopware childwebguardian runtime detection - udp broadcast www3.ca.com/securityadvisor/pest/pest.aspx?id=453099134 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Computer"; distance:0; nocase; content:"Monitor"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Computer[^\r\n]*Monitor[^\r\n]*Keylogger/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 11307 SPYWARE-PUT Keylogger computer monitor Keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097349 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/db/db.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SpyDawn"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpyDawn/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 11308 SPYWARE-PUT Other-Technologies spydawn runtime detection - update checking www3.ca.com/securityadvisor/pest/pest.aspx?id=453109604 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"SSKC"; nocase; content:"v2.0"; distance:0; nocase; content:"Startup"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^SSKC[^\r\n]*v2\x2E0[^\r\n]*Startup[^\r\n]*at/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 11309 SPYWARE-PUT Keylogger sskc v2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076545 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/wwp/msg/1,,,00.html"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"iowA"; nocase; http_uri; content:"WebDloader"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 11310 SPYWARE-PUT Trickler iowa webdownloader - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=59689 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upload.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.pcsentinelsoftware.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Epcsentinelsoftware\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 11311 SPYWARE-PUT Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor www.pcsentinelsoftware.com successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Response2.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"myadid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"uplink.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*uplink\x2Eco\x2Ekr/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 11312 SPYWARE-PUT Trackware uplink runtime detection www.symantec.com/security_response/writeup.jsp?docid=2007-031317-1701-99&tabid=1 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/db/db.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Spy-Locked"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Spy\-Locked/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 11313 SPYWARE-PUT Other-Technologies spywarelocker 3.3 runtime detection - update checking research.sunbelt-software.com/threatdisplay.aspx?name=SpyLocked&threatid=129037 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"ShadowNet"; nocase; content:"Remote"; distance:0; nocase; content:"Web"; distance:0; nocase; content:"Based"; distance:0; nocase; content:"Spyware"; distance:0; nocase; pcre:"/ShadowNet\s+Remote\s+Web\s+Based\s+Spyware/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 11314 BACKDOOR shadownet remote spy 2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453081042 trojan-activity tcp $HOME_NET 1115 -> $EXTERNAL_NET any flow:from_server,established; content:"|0D|Lurker"; depth:7; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 11316 BACKDOOR lurker 1.1 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077370 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"&&**"; depth:4; metadata:policy security-ips alert; classtype:trojan-activity; 11317 BACKDOOR abremote pro 3.1 runtime detection - init connection www.heibai.net/download/Soft/Soft_6836.htm trojan-activity tcp $EXTERNAL_NET 19820 -> $HOME_NET any flow:from_server,established; content:"EMSG0006"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 11318 BACKDOOR boer runtime detection - init connection soft.myboer.cn trojan-activity tcp $HOME_NET 5050 -> $EXTERNAL_NET any flow:from_server,established; content:"|1B 00 00 00|"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; 11319 BACKDOOR netwindow runtime detection - init connection request research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 5051 flow:to_server,established; content:"NWHOST"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 11320 BACKDOOR netwindow runtime detection - reverse mode init connection request research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584 trojan-activity udp $HOME_NET any -> 255.255.255.255 5053 flow:to_server; content:"NWHOST"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 11321 BACKDOOR netwindow runtime detection - udp broadcast research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584 trojan-activity tcp $HOME_NET 5712 -> $EXTERNAL_NET any flow:from_server,established; content:"RFB 003.003|0A|"; depth:12; nocase; flowbits:set,Sohoanywhere_Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 11322 BACKDOOR sohoanywhere runtime detection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 5712 flow:to_server,established; flowbits:isset,Sohoanywhere_Init; content:"RFB 003.004|0A|"; depth:12; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 11323 BACKDOOR sohoanywhere runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453060132 protocol-command-decode tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv3.client_hello.request; flowbits:isnotset,sslv3.server_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 11671 WEB-MISC SSLv2 Server_Hello request from SSLv3 Client_Hello request attempted-admin 2003-0109 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"SEARCH "; depth:7; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; metadata:policy security-ips drop; classtype:attempted-admin; 11686 SPECIFIC-THREATS WebDAV search overflow attempt www.microsoft.com/technet/security/bulletin/ms03-007.mspx trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 610 flow:to_server,established; content:"L"; depth:1; nocase; content:"|00|"; depth:1; offset:3; pcre:"/^L\d\d\x00/smi"; flowbits:set,SupervisorPlus_detection; flowbits:noalert; classtype:trojan-activity; 11953 BACKDOOR supervisor plus runtime detection protocol-command-decode tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,tlsv1.client_hello.request; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 11965 WEB-MISC SSLv2 Server_Hello request from TLSv1 Client_Hello request trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 58008 flow:to_server,established; content:"<SYSTMTIME>"; depth:11; nocase; flowbits:set,Tron_Initconnection; flowbits:noalert; classtype:trojan-activity; 12054 BACKDOOR tron runtime detection - init connection - flowbit set 22340 attempted-admin 2007-0449 tcp $EXTERNAL_NET any -> $HOME_NET 2200 flow:to_server,established; content:"N=,|1B|"; depth:4; isdataat:1000; content:!"N=,|1B|"; within:996; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 12078 EXPLOIT CA BrightStor LGServer Heap buffer overflow successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 456 flow:to_server,established; content:"info"; depth:4; flowbits:set,RemoteKeyLog.b.Info_detection; flowbits:noalert; classtype:successful-recon-limited; 12129 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:to_client,established; content:"WND"; depth:3; flowbits:set,RemoteKeyLog.b.Keylogging_detection; flowbits:noalert; classtype:successful-recon-limited; 12131 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 456 flow:to_server,established; content:"url"; depth:3; flowbits:set,RemoteKeyLog.b.Url_detection; flowbits:noalert; classtype:successful-recon-limited; 12133 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 456 flow:to_server,established; content:"fun"; depth:3; flowbits:set,RemoteKeyLog.b.Fun_detection; flowbits:noalert; classtype:successful-recon-limited; 12135 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_detection; flowbits:noalert; classtype:trojan-activity; 12142 BACKDOOR access remote pc runtime detection - init connection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"AUTH"; depth:4; flowbits:set,BlueEye1.0b_detection; flowbits:noalert; classtype:trojan-activity; 12146 BACKDOOR blue eye 1.0b runtime detection - init connection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 54320 flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7"; within:4; distance:1; flowbits:set,BackOrifice2006_1.1.5_detection; flowbits:noalert; classtype:trojan-activity; 12148 BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_client,established; content:"|FF FD 03 FF FD 18 FF FD 1F|"; depth:9; flowbits:set,CAFEiNi_detection; flowbits:noalert; classtype:trojan-activity; 12150 BACKDOOR cafeini 1.0 runtime detection - init connection trojan-activity tcp $HOME_NET 500 -> $EXTERNAL_NET any flow:from_server,established; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Download_detection1; flowbits:noalert; classtype:trojan-activity; 12153 BACKDOOR optix pro v1.32 runtime detection - download file trojan-activity tcp $HOME_NET 500 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,OptixPROv1.32Download_detection1; content:"+OK REDY|0D 0A|"; depth:10; flowbits:set,OptixPROv1.32Download_detection2; flowbits:noalert; classtype:trojan-activity; 12154 BACKDOOR optix pro v1.32 runtime detection - download file trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 501 flow:to_server,established; content:"InfoOn|AC|"; depth:7; flowbits:set,OptixPROv1.32Upload_detection1; flowbits:noalert; classtype:trojan-activity; 12156 BACKDOOR optix pro v1.32 runtime detection - upload file trojan-activity tcp $HOME_NET 501 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,OptixPROv1.32Upload_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Upload_detection2; flowbits:noalert; classtype:trojan-activity; 12157 BACKDOOR optix pro v1.32 runtime detection - upload file trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 503 flow:to_server,established; content:"SendACap|AC|"; depth:9; flowbits:set,OptixPROv1.32Screencapture_detection1; flowbits:noalert; classtype:trojan-activity; 12160 BACKDOOR optix pro v1.32 runtime detection - screen capturing trojan-activity tcp $HOME_NET 503 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,OptixPROv1.32Screencapture_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Screencapture_detection2; flowbits:noalert; classtype:trojan-activity; 12161 BACKDOOR optix pro v1.32 runtime detection - screen capturing trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1357 flow:to_server,established; content:"DIR"; depth:3; offset:3; pcre:"/^(SYS|WIN)DIR$/sm"; flowbits:set,CobraUploader1.0_detection; flowbits:noalert; classtype:trojan-activity; 12163 BACKDOOR cobra uploader 1.0 runtime detection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET [37,31415,31416] flow:to_server,established; content:"|24 00 00 00 00 00 03 00 0D 00 00 00|"; depth:12; flowbits:set,Lithium1.02_detection; flowbits:noalert; classtype:trojan-activity; 12165 BACKDOOR lithium 1.02 runtime detection trojan-activity tcp $HOME_NET [37,31415,31416] -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,Lithium1.02_detection; content:"|00 00 00 00 00 04 00|"; offset:1; metadata:policy security-ips alert; classtype:trojan-activity; 12166 BACKDOOR lithium 1.02 runtime detection www.symantec.com/security_response/writeup.jsp?docid=2002-061113-2401-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_client,established; content:"|1B|[2J|0D 0A| "; depth:7; content:"Hello"; nocase; content:"my"; distance:0; nocase; content:"master"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"for"; distance:0; nocase; content:"your"; distance:0; nocase; content:"commands"; distance:0; nocase; flowbits:set,Genie1.7_detection; flowbits:noalert; classtype:trojan-activity; 12240 BACKDOOR genie 1.7 runtime detection - init connection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"Start"; depth:5; nocase; pcre:"/^Start$/smi"; flowbits:set,HotmailHackerLogEdition5.0_detection; flowbits:noalert; classtype:trojan-activity; 12242 BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|09 08 10 00 00 06 00 01|"; flowbits:set,xlw.download; flowbits:noalert; classtype:misc-activity; 12283 WEB-CLIENT xlw file download sc.openoffice.org/excelfileformat.pdf misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ms162cfg.jsp?"; fast_pattern; nocase; http_uri; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 12293 SPYWARE-PUT Hijacker morpheus toolbar runtime detection - get cfg info www.sophos.com/security/analyses/morpheustoolbar.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; within:1; distance:3; flowbits:set,Bifrost_v1.2.1_detection; flowbits:noalert; classtype:trojan-activity; 12297 BACKDOOR bifrost v1.2.1 runtime detection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin3.0_conn_detection; flowbits:noalert; classtype:trojan-activity; 12373 BACKDOOR radmin 3.0 runtime detection - initial connection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|01 00 00 00 05 00 00 02|''|02 00 00 00|"; depth:14; flowbits:set,Radmin3.0_login_detection; flowbits:noalert; classtype:trojan-activity; 12375 BACKDOOR radmin 3.0 runtime detection - login & remote control trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"F|15 1D|"; depth:3; flowbits:set,sharK_2.3.2_detection; flowbits:noalert; classtype:trojan-activity; 12377 BACKDOOR shark 2.3.2 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| Email Reports from Inside Website Logger"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:successful-recon-limited; 12480 SPYWARE-PUT Keylogger inside website logger 2.4 runtime detection www.programurl.com/inside-website-logger.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:".php?"; nocase; http_uri; content:"acc="; nocase; http_uri; content:"country="; nocase; http_uri; content:"city="; nocase; http_uri; content:"state="; nocase; http_uri; content:"uninstalled="; nocase; http_uri; content:"User-Agent"; nocase; http_header; content:"iebar"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\s*\x3A[^\r\n]*iebar/miH"; metadata:policy security-ips alert, service http; classtype:successful-recon-limited; 12672 SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - get ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|B9 E1 A5|~|C7 B7 82|n|22|n|0B CB FD|w|ED|I"; depth:16; flowbits:set,PoisonIvy2.3.0_initDetection; flowbits:noalert; classtype:trojan-activity; 12699 BACKDOOR poison ivy 2.3.0 runtime detection - init connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"1DbsLbE3i/MBQu9Z"; depth:16; flowbits:set,DarkMoon411_detection; flowbits:noalert; classtype:trojan-activity; 12724 BACKDOOR dark moon 4.11 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"|CF 8F 80 9B 9A 9D CF C9 CA C9 D9 8D C9|"; depth:13; flowbits:set,Bandook135_detection; flowbits:noalert; classtype:trojan-activity; 12726 BACKDOOR bandook 1.35 runtime detection 24658 attempted-user 2007-3410 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<smi"; nocase; content:"wallclock|28|"; pcre:"/^[^\x29]*\x2E[0-9]{11}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; classtype:attempted-user; 12728 WEB-CLIENT RealNetworks SMIL wallclock stack overflow attempt 26042 attempted-user 2007-4619 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"fLaC"; content:"|06|"; byte_jump:4,7,relative; content:"|FF FF FF FF|"; within:4; metadata:policy security-ips drop, service http; classtype:attempted-user; 12743 WEB-CLIENT FLAC libFLAC picture description metadata buffer overflow attempt 26042 attempted-user 2007-4619 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"fLaC"; content:"|04|"; content:"|FF FF FF FF|"; within:4; distance:3; metadata:policy security-ips drop, service http; classtype:attempted-user; 12744 WEB-CLIENT FLAC libFLAC VORBIS string buffer overflow attempt 26042 attempted-user 2007-4619 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"fLaC"; content:"|06|"; content:"|FF FF FF FF|"; within:4; distance:7; metadata:policy security-ips drop, service http; classtype:attempted-user; 12745 WEB-CLIENT FLAC libFLAC picture metadata buffer overflow attempt successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"Digi-Watcher.com"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Digi\x2DWatcher\x2Ecom/smi"; flowbits:set,DigiWatcher232_detection; flowbits:noalert; classtype:successful-recon-limited; 12758 SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Powered"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Logs"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Powered\s+Keylogger\s+Logs/smi"; flowbits:set,PoweredKeylogger22_detection; flowbits:noalert; classtype:successful-recon-limited; 12760 SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Attachment"; nocase; content:"contains"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Lantern"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; pcre:"/Attachment\s+contains\s+Spy\s+Lantern\s+Keylogger.*log\s+file\x2E/smi"; flowbits:set,SpyLanternKeylogger6_detection; flowbits:noalert; classtype:successful-recon-limited; 12792 SPYWARE-PUT Keylogger spy lantern Keylogger pro 6.0 runtime detection attempted-user 2007-0064 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"BFC3CD50-618F-11CF-8BB2-00AA00B4E220"; byte_test:4, >, 65522, 12, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13160 WEB-CLIENT Microsft Media Player asf streaming audio spread error correction data length integer overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-068.mspx 25454 attempted-admin 2007-4221 tcp $EXTERNAL_NET any -> $HOME_NET 407 flow:to_server,established; content:"|00 01|"; depth:2; content:"|00 23 07|"; depth:3; offset:6; byte_test:1,>,31,30; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13221 EXPLOIT Motorola Timbuktu crafted login request buffer overflow attempt ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf 25454 attempted-admin 2007-4221 udp $EXTERNAL_NET any -> $HOME_NET 407 flow:to_server,established; content:"|00 01|"; depth:2; content:"|00 23 07|"; depth:3; offset:6; byte_test:1,>,31,30; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13222 EXPLOIT Motorola Timbuktu crafted login request buffer overflow attempt ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Attached"; nocase; content:"|28|ZIP"; distance:0; nocase; content:"file|29|"; distance:0; nocase; content:"to"; distance:0; nocase; content:"this"; distance:0; nocase; content:"email"; distance:0; nocase; content:"are"; distance:0; nocase; content:"the"; distance:0; nocase; content:"activity"; distance:0; nocase; content:"logs"; distance:0; nocase; content:"that"; distance:0; nocase; content:"you"; distance:0; nocase; content:"have"; distance:0; nocase; content:"requested."; distance:0; nocase; pcre:"/Attached\s+\x28ZIP\s+file\x29\s+to\s+this\s+email\s+are\s+the\s+activity\s+logs\s+that\s+you\s+have\s+requested\x2E/smi"; flowbits:set,ActiveKeylogger392_detection; flowbits:noalert; classtype:successful-recon-limited; 13236 SPYWARE-PUT Keylogger active Keylogger 3.9.2 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Computer"; distance:0; nocase; content:"Monitor"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*Computer\s+Monitor/smi"; flowbits:set,ComputerMonitor11_detection; flowbits:noalert; classtype:successful-recon-limited; 13243 SPYWARE-PUT Keylogger computer monitor 1.1 by lastcomfort runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"/index"; nocase; flowbits:set,Troya_1_4_detection; flowbits:noalert; classtype:trojan-activity; 13245 BACKDOOR troya 1.4 runtime detection - init connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"Req_Conn"; depth:8; nocase; flowbits:set,Yuri_1_2_detection; flowbits:noalert; classtype:trojan-activity; 13247 BACKDOOR yuri 1.2 runtime detection - init connection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Advanced"; nocase; content:"Spy"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"for"; distance:0; nocase; pcre:"/Advanced\s+Spy\s+Report\s+for/smi"; flowbits:set,AdvancedSpy_detection; flowbits:noalert; classtype:successful-recon-limited; 13278 SPYWARE-PUT Keylogger advanced spy 4.0 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Chilkat"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"Inc"; distance:0; nocase; pcre:"/^X\x2DMailer\x3A[^\r\n]*Chilkat\s+Software\s+Inc/smi"; flowbits:set,EmailSpyMonitor_detection; flowbits:noalert; classtype:successful-recon-limited; 13280 SPYWARE-PUT Keylogger email spy monitor 6.9 runtime detection 26791 attempted-admin 2007-6015 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON"; fast_pattern; pcre:"/^\x00+/R"; content:"|12 00 00 00|"; within:4; pcre:"/^\x00\x00\x00\x00[^\x00]{262}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 13291 EXPLOIT Samba send_mailslot buffer overflow attempt 26773 attempted-user 2007-6401 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|ART"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13316 WEB-CLIENT 3ivx MP4 file parsing ART buffer overflow attempt 26773 attempted-user 2007-6401 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|nam"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13317 WEB-CLIENT 3ivx MP4 file parsing nam buffer overflow attempt 26773 attempted-user 2007-6401 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13318 WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt 26773 attempted-user 2007-6401 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|des"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13319 WEB-CLIENT 3ivx MP4 file parsing des buffer overflow attempt 26773 attempted-user 2007-6401 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp4; content:"|A9|cpy"; byte_test:4, >, 512, 0, relative; metadata:policy security-ips drop, service http; classtype:attempted-user; 13320 WEB-CLIENT 3ivx MP4 file parsing cpy buffer overflow attempt successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"DS|00 00 00 00 01 00 00 00 00 FE 01 00 00 F1 00 00 00 00|"; depth:20; nocase; flowbits:set,RemoteDesktopInspector_detection; flowbits:noalert; classtype:successful-recon-limited; 13346 SPYWARE-PUT Snoopware remote desktop inspector runtime detection - init connection attempted-admin 2007-4731 tcp $EXTERNAL_NET any -> $HOME_NET 5005 flow:to_server,established; content:"!Ce|87 15 00 00 00|"; byte_test:4,>,844,8,relative,little; isdataat:1092,relative; content:!"|00|"; within:256; distance:836; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13365 EXPLOIT Trend Micro ServerProtect TMregChange buffer overflow attempt www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt 20364 attempted-admin 2006-5142 udp $EXTERNAL_NET any -> $HOME_NET 138 flow:to_server; content:"mailslot|5C|cheyenneds"; nocase; isdataat:24,relative; content:!"|00|"; within:20; distance:4; metadata:policy security-ips drop; classtype:attempted-admin; 13415 EXPLOIT CA BrightStor cheyenneds mailslot overflow successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"|22|FindNot"; distance:0; nocase; content:"GuardDog|22|"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x22FindNot\s+GuardDog\x22/smi"; flowbits:set,FindNotGuardDog_detection; flowbits:noalert; classtype:successful-recon-limited; 13479 SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update/barcab/"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"id="; nocase; http_uri; content:"version="; nocase; http_uri; pcre:"/update/barcab/.*?tn=.*id=.*version=/smi"; flowbits:set,BaiduToolbar_detection; flowbits:noalert; classtype:misc-activity; 13483 SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:set,Evilotus_detection; content:"|0C|~|7F D8 13 00 00 00|d|C8 00 00 0B 00 00 00 07 00 00 00 80 E7 03 0C|~|7F D8|"; depth:27; flowbits:noalert; classtype:trojan-activity; 13506 BACKDOOR evilotus 1.3.2 runtime detection - init connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"|00 01|"; depth:2; offset:1; content:"Minutes"; nocase; content:"|00 A1 0F 00 00 00|"; distance:0; flowbits:set,Xploit1_4_5_detection; flowbits:noalert; classtype:trojan-activity; 13508 BACKDOOR xploit 1.4.5 runtime detection attempted-user 2008-0033 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"idsc"; byte_test:4,<,94,-8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 13517 EXPLOIT Apple QTIF malformed idsc atom 27329 attempted-admin 2008-0356 tcp $EXTERNAL_NET any -> $HOME_NET 2512:2513 flow:to_server,established; content:"|FF FF FF|"; depth:3; byte_test:1, >, 195, 0; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13519 EXPLOIT Citrix MetaFrame IMA buffer overflow attempt 27467 attempted-admin 2008-0467 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:established,to_server; content:"|00 00 00 13|"; depth:4; content:"|1C|"; within:80; byte_test:1,>,0x81,0,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13522 EXPLOIT Firebird Database Server username handling buffer overflow misc-activity 2008-0112 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"GET"; nocase; http_method; content:".csv"; nocase; http_uri; flowbits:set,csv.download; flowbits:noalert; metadata:service http; classtype:misc-activity; 13584 WEB-CLIENT csv file download request www.microsoft.com/technet/security/Bulletin/MS08-014.mspx protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"OPTIONS"; depth:7; nocase; content:!"Via|3A|"; nocase; metadata:policy security-ips drop; classtype:protocol-command-decode; 13587 VOIP-SIP OPTIONS request missing RFC-mandated Via field www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"OPTIONS"; depth:7; nocase; content:!"Call-ID|3A|"; nocase; metadata:policy security-ips drop; classtype:protocol-command-decode; 13588 VOIP-SIP OPTIONS request missing RFC-mandated Call-ID field www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"OPTIONS"; depth:7; nocase; content:"Via|3A|"; nocase; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; metadata:policy security-ips drop; classtype:protocol-command-decode; 13589 VOIP-SIP OPTIONS request misplaced Via field - after terminating newline www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"OPTIONS"; depth:7; nocase; content:"Call-ID|3A|"; nocase; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; metadata:policy security-ips drop; classtype:protocol-command-decode; 13590 VOIP-SIP OPTIONS request misplaced Call-ID field - after terminating newline www.ietf.org/rfc/rfc3261.txt 6849 attempted-admin 2003-0095 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"1|C0 0B|E|10 05|P|00 00 00 05|L|00 00 00 FF 00|@@@@|FF 00|XXP1|C0 C3|"; metadata:policy security-ips drop; classtype:attempted-admin; 13617 SPECIFIC-THREATS Oracle database version 8 username buffer overflow attempt otn.oracle.com/deploy/security/pdf/2003alert51.pdf 28228 attempted-admin 2008-1357 udp $EXTERNAL_NET any -> $HOME_NET 8082 content:"Type=|22|AgentWakeup|22|"; fast_pattern:only; content:"|22 FA E5|"; content:"|8F|"; within:212; distance:20; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13631 MISC McAfee ePolicy Orchestrator Framework Services log handling format string attempt knowledge.mcafee.com/article/234/615103_f.sal_public.html policy-violation tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"Zango/Setup.exe"; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:policy-violation; 13632 WEB-CLIENT Zango adware installation request www.ftc.gov/os/caselist/0523130/index.shtm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:set,Nuclear_RAT_2_1_detection; content:"|FF 00|"; depth:2; content:"|00 00 00 01 00 00 00 00 00 00|"; within:10; distance:1; flowbits:noalert; classtype:trojan-activity; 13654 BACKDOOR nuclear rat 2.1 runtime detection - init connection 23047 attempted-admin 2007-1542 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/smi"; metadata:policy security-ips alert; classtype:attempted-admin; 13664 VOIP-SIP hexadecimal characters in IP address portion of Remote-Party-ID field www.cisco.com/en/US/products/products_security_response09186a00808075ad.html 28308 attempted-user 2008-1289 udp $EXTERNAL_NET any -> $HOME_NET 5060 flow:to_server; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 13693 VOIP-SIP invalid RTP payload type - possible Asterisk memory overwrite www.asterisk.org/node/48466 28569 attempted-admin 2008-1697 tcp $EXTERNAL_NET any -> $HOME_NET 7510 flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13715 WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|01 00 01 00 03 00 01 00 14 00 01 01 01 00 DD DD DD DD 00 00 00 00|"; depth:22; metadata:policy balanced-ips drop, policy security-ips drop; classtype:successful-recon-limited; 13764 SPYWARE-PUT Snoopware xpress remote runtime detection - init connection research.sunbelt-software.com/threatdisplay.aspx?name=XpressRemote&threatid=29388 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"CYBERsitter"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"for|3A|"; distance:0; nocase; pcre:"/Subject\x3A[^\r\n]*CYBERsitter\s+Report\s+for\x3A/smi"; flowbits:set,cyberSitter_detection; flowbits:noalert; classtype:successful-recon-limited; 13767 SPYWARE-PUT Keylogger cyber sitter runtime detection misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MZ"; byte_jump:4,58,little,relative; content:"PE|00 00|"; within:4; distance:-64; content:"APECO"; distance:0; flowbits:set,download.pecompact.binary; flowbits:noalert; classtype:misc-activity; 13797 WEB-CLIENT pe compact binary download attempted-admin 2008-1965 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"cai|3A|"; nocase; content:"-launcher"; distance:0; nocase; pcre:"/\x3c[^\x3e]+((\x22cai\x3a[^\x3e]*?\x2522[^\x3e\x22]*-launcher[^\x3e\x22]*\x22)|(\x27cai\x3a[^\x3e]*?(\x2522|\x22)[^\x3e\x27]*-launcher[^\x3e\x27]*\x27)|(cai\x3a[^\x3e]*?(\x2522|\x22)[^\x3e]*-launcher[^\x3e]*?\s+))\s*\x3e/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 13799 WEB-CLIENT IBM Lotus Expeditor cai URI Handler Command Execution attempt protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Content-Type|3A|"; nocase; http_header; content:"text/rtf"; fast_pattern; nocase; http_header; flowbits:set,http.rtf; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:protocol-command-decode; 13801 WEB-CLIENT RTF file download attempted-user 2008-0011 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13824, service http, policy balanced-ips drop, policy security-ips drop; 13824 WEB-CLIENT malformed mjpeg arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS08-033.mspx 28616 web-application-activity 2008-1329 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:web-application-activity; 13839 MISC CA ARCServ NetBackup remote file upload attempt support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105 attempted-admin 2006-4305 tcp $EXTERNAL_NET any -> $HOME_NET 9999 flow:to_server,established; content:"POST"; content:"database="; nocase; isdataat:18,relative; content:!"|0A|"; within:18; content:!"&"; within:18; content:!"|3B|"; within:18; metadata:policy security-ips drop; classtype:attempted-admin; 13843 EXPLOIT MaxDB WebDBM get buffer overflow attempted-dos 2002-0055 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"0123AUTH LOGIN"; metadata:policy security-ips drop, service smtp; classtype:attempted-dos; 13844 SPECIFIC-THREATS BDAT size longer than contents exploit attempt attempted-dos 2002-0055 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"b00mAUTH LOGIN"; metadata:policy security-ips drop, service smtp; classtype:attempted-dos; 13845 SPECIFIC-THREATS BDAT size public exploit attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/popwin/"; nocase; http_uri; content:"/update.txt"; nocase; http_uri; flowbits:set,Trojan-Spy.Win32.Delf.uv_Detection; flowbits:noalert; classtype:trojan-activity; 13877 BACKDOOR trojan-spy.win32.delf.uv runtime detection 29328 attempted-admin 2008-2499 tcp $EXTERNAL_NET any -> $HOME_NET [1533,8082] flow:established,to_server; content:"POST"; content:"CommunityCBR/CC."; pcre:"/\d\d\.[^\s\n\r]{40}/Rsmi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 13902 EXPLOIT IBM Lotus Sametime multiplexer stack buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".bak"; nocase; http_uri; flowbits:set,backup_file.request; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 13915 WEB-MISC backup file download attempt attempted-admin 2008-4193 tcp $EXTERNAL_NET any -> $HOME_NET 4000 flow:established,to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-admin; 13916 EXPLOIT Alt-N SecurityGateway username buffer overflow attempt secunia.com/advisories/30497/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ver.txt"; fast_pattern; nocase; http_uri; flowbits:set,AdWare_Ejik.ec_Detection; flowbits:noalert; classtype:misc-activity; 13938 SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cc.txt"; fast_pattern; nocase; http_uri; flowbits:set,Dropper_Agent.rqg_Detection; flowbits:noalert; classtype:trojan-activity; 13943 SPYWARE-PUT Trickler dropper agent.rqg runtime detection attempted-user 2008-3021 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13946, service http, policy balanced-ips drop, policy security-ips drop; 13946 WEB-CLIENT Apple PICT/Quickdraw image converter packType 4 buffer overflow exploit attempt www.microsoft.com/technet/security/bulletin/ms08-044.mspx attempted-user 2008-3018 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13947, service http, policy balanced-ips drop, policy security-ips drop; 13947 WEB-CLIENT Apple PICT/Quickdraw image converter packType 3 buffer overflow exploit attempt www.microsoft.com/technet/security/bulletin/ms08-044.mspx 30177 misc-attack 2008-2607 tcp $EXTERNAL_NET any -> $HOME_NET [1521,5560] flow:established,to_server; content:"DBMS_AQELM"; pcre:"/SET_(SENDFROM|MAILHOST)\x28\x27[^\x27]{256}/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 13951 WEB-MISC Oracle Database Server buffer overflow attempt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"/dir1/archive.asp?id=z ANd"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 13953 BOTNET-CNC Asprox trojan initial query www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 attempted-user 2008-0121 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.ppt; metadata: engine shared, soid 3|13969, policy balanced-ips drop, policy security-ips drop; 13969 WEB-CLIENT Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms08-051.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".m3u"; nocase; http_uri; flowbits:set, http.m3u.download; flowbits:noalert; metadata:service http; classtype:misc-activity; 14017 WEB-CLIENT MPEG Layer 3 playlist file request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".pls"; nocase; http_uri; flowbits:set, http.pls.download; flowbits:noalert; metadata:service http; classtype:misc-activity; 14018 WEB-CLIENT PLS multimedia playlist file request 30467 attempted-user 2008-2935 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content-Type|3A| text/xml"; nocase; http_header; content:"xsl|3A|stylesheet"; fast_pattern; nocase; content:"crypto|3A|rc4_"; nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14039 EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt 30467 attempted-user 2008-2935 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content-Type|3A| text/xml"; nocase; http_header; content:"xsl|3A|transform"; fast_pattern:only; content:"crypto|3A|rc4_"; nocase; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14040 EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt 30467 attempted-user 2008-2935 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content-Type|3A| text/xml"; nocase; http_header; content:"xsl|3A|version"; fast_pattern:only; content:"crypto|3A|rc4_"; pcre:"/crypto\x3Arc4_(encrypt|decrypt)\x28\x27[^\x27]{129}/smiH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14041 EXPLOIT GNOME Project libxslt RC4 key string buffer overflow attempt - 2 24773 attempted-admin 2007-3614 tcp $EXTERNAL_NET any -> $HOME_NET 9999 flow:to_server,established; content:"GET /webdbm"; nocase; content:"HTTP_COOKIE"; nocase; isdataat:250,relative; pcre:"/HTTP_COOKIE=[^\x0a\x0d\x26\x3f\x20]{250}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 14230 EXPLOIT SAP DB web server stack overflow attempt attempted-user 2007-5348 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|14261, service http, policy security-ips drop; 14261 WEB-CLIENT GDI VML gradient size heap overflow attempt www.microsoft.com/technet/security/bulletin/MS08-052.mspx 29634 attempted-admin 2008-2639 tcp $EXTERNAL_NET ANY -> $HOME_NET 20222 flow:established,to_server; content:"|02 00 00 00 00|"; depth:9; byte_test:4,>,256,0,relative; metadata:policy security-ips drop; classtype:attempted-admin; 14265 SCADA CitectSCADA ODBC buffer overflow attempt www.citect.com/index.php?option=com_content&task=view&id=1374&Itemid=223 bad-unknown tcp $HOME_NET 8002 -> $EXTERNAL_NET any flow:from_server,established; content:"Oracle Applications One-Hour Install"; metadata:policy security-ips drop; classtype:bad-unknown; 1464 ATTACK-RESPONSES oracle one hour install 10737 attempted-dos 2008-4023 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|14646, service ldap, policy balanced-ips drop, policy security-ips drop; 14646 DOS Active Directory malformed baseObject denial of service attempt www.microsoft.com/technet/security/bulletin/MS08-060.mspx 31418 attempted-user 2008-4322 tcp $EXTERNAL_NET any -> $HOME_NET 910 flow:to_server,established; content:"|10 23|Tg"; depth:4; isdataat:726,relative; content:!"|10 23|Tg"; within:712; distance:14; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 14769 EXPLOIT DATAC RealWin SCADA System FC_INFOTAG/SET_CONTROL buffer overflow attempt shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:shellcode-detect; 14986 SHELLCODE x86 fldz get eip shellcode 30694 attempted-user 2008-2234 tcp $EXTERNAL_NET any -> $HOME_NET 8889 flow:to_server,established; content:"Authorization|3A|"; nocase; content:"Basic"; nocase; isdataat:256,relative; pcre:"/^Authorization\x3a\s*Basic[^\n]{256}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 14992 WEB-MISC Openwsman HTTP basic authentication buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".wav"; nocase; flowbits:set,wav_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15079 WEB-MISC WAV Formatfile download attempt attempted-user 2008-4028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15082, service http, policy balanced-ips drop, policy security-ips drop; 15082 EXPLOIT rtf malformed dpcallout buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-072.mspx attempted-user 2008-4269 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15116, service http, policy balanced-ips drop, policy security-ips drop; 15116 WEB-CLIENT Windows search protocol handler access attempt www.microsoft.com/technet/security/bulletin/MS08-075.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".rtf"; nocase; http_uri; flowbits:set,http.rtf; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 15123 WEB-CLIENT Rich Text Format file request 32518 attempted-admin 2008-5286 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; content:"|02|"; within:1; distance:9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15145 EXPLOIT Apple CUPS TrueColor PNG filter overly large image height integer overflow attempt www.cups.org/str.php?L2974 32518 attempted-admin 2008-5286 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"IHDR"; content:"|06|"; within:1; distance:9; byte_test:4,>,1431655765,-6,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15146 EXPLOIT Apple CUPS RGB+Alpha PNG filter overly large image height integer overflow attempt www.cups.org/str.php?L2974 30177 attempted-dos 2008-2595 tcp $EXTERNAL_NET any <> $HOME_NET 389 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|15149, service ldap, policy balanced-ips drop, policy security-ips drop; 15149 DOS Oracle Internet Directory pre-auth ldap denial of service attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html attempted-user 2008-4558 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,xspf_file.request; file_data; content:"|3C|identifier|3E|"; pcre:"/\x3cidentifier\x3E[^\x3c]*\x2d\d/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15157 WEB-CLIENT VideoLAN VLC Media Player XSPF memory corruption attempt TEST misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".xspf"; nocase; http_uri; flowbits:set,xspf_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15158 WEB-MISC XML Shareable Playlist Format file download attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/40e800"; depth:7; nocase; http_uri; pcre:"/^\x2F40e800[0-9A-F]{30,}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15165 BACKDOOR Pushdo client communication attempt www.eweek.com/c/a/Security/Inside-a-Modern-Malware-Distribution-System/ attempted-user 2008-5036 tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:to_client,established; flowbits:isset,realplayer.playlist; content:"<time "; nocase; pcre:"/\x3ctime\x20[^\x3e]*(begin|end)\x3d\x22[^\x22]{13}/Osmi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15166 WEB-CLIENT VideoLAN VLC Media Player RealText buffer overflow attempt 31688 attempted-user 2008-3641 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"PW"; fast_pattern:only; pcre:"/PW\x2E?[0-9]+\s*,\s*/"; byte_test:4,>=,1024,0,relative,string,dec; metadata:policy security-ips drop; classtype:attempted-user; 15186 MISC Multiple vendors CUPS HPGL filter remote code execution attempt 31688 attempted-user 2008-3641 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"PW"; fast_pattern:only; pcre:"/PW\x2E?[0-9]+\s*,\s*/"; byte_test:4,<,0,0,relative,string,dec; metadata:policy security-ips drop; classtype:attempted-user; 15187 MISC Multiple vendors CUPS HPGL filter remote code execution attempt 31688 attempted-user 2008-3641 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"PC"; byte_test:4,>=,1024,0,relative,string,dec; metadata:policy security-ips drop; classtype:attempted-user; 15188 MISC Multiple vendors CUPS HPGL filter remote code execution attempt www.cups.org/str.php?L2911 31688 attempted-user 2008-3641 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"PC"; byte_test:4,<,0,0,relative,string,dec; metadata:policy security-ips drop; classtype:attempted-user; 15189 MISC Multiple vendors CUPS HPGL filter remote code execution attempt www.cups.org/str.php?L2911 31416 attempted-user 2008-6415 tcp $EXTERNAL_NET any -> $HOME_NET 808 flow:to_server,established; content:"CONNECT "; nocase; isdataat:1024,relative; pcre:"/^CONNECT\s[^\s]{1024}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15190 WEB-MISC Youngzsoft CCProxy CONNECT Request buffer overflow attempt 23620 attempted-user 2007-2193 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"/* XPM */"; pcre:"/^\s*\x22[^\x22\n]{300}/mi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15236 WEB-CLIENT ACD Systems ACDSee XPM file format overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".rm"; nocase; http_uri; flowbits:set,realmedia_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15239 WEB-MISC RealMedia format file download attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".rv"; nocase; http_uri; flowbits:set,realmedia_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15240 WEB-MISC RealMedia format file download attempt 33177 attempted-admin 2008-5444 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; depth:20; offset:12; pcre:"/^.{12}\x00{6}\x09\x01.{16}.{300}/"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15255 ORACLE Secure Backup msgid 0x901 username field overflow attempt 33177 attempted-user 2008-5448 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"login.php?"; http_uri; content:!"clear=yes"; http_uri; content:"ora_osb_bgcookie"; http_uri; content:"button=Logout"; http_uri; content:"rbtool"; http_uri; pcre:"/ora_osb_bgcookie\x3d[^\x20\x26\x3b]{1}/U"; pcre:"/rbtool\x3d[^\x20\x26\x3b]{1}/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15261 ORACLE Secure Backup exec_qr command injection attempt 33177 attempted-user 2008-5448 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"POST "; depth:5; content:"login.php"; http_uri; content:!"clear=yes"; http_client_body; content:"ora_osb_bgcookie"; http_client_body; content:"button=Logout"; http_client_body; content:"rbtool"; http_client_body; pcre:"/ora_osb_bgcookie\x3d[^\x20\x26\x3b]{1}/P"; pcre:"/rbtool\x3d[^\x20\x26\x3b]{1}/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15262 ORACLE Secure Backup POST exec_qr command injection attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"newmain.exe"; nocase; http_uri; pcre:"/[A-Z]{7,12}\/newmain.exe/Ui"; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 15296 BOTNET-CNC Trojan.Bankpatch.C malicious file download attempt www.threatexpert.com/threats/trojan-bankpatch-c.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"dlyainfy.php"; nocase; content:"Host|3A| www.crabindustry.ru"; nocase; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 15297 BOTNET-CNC Trojan.Bankpatch.C report home attempt www.threatexpert.com/threats/trojan-bankpatch-c.html 33299 attempted-user 2009-0241 tcp $EXTERNAL_NET any -> $HOME_NET 8652 flow:to_server,established; content:"/"; depth:1; isdataat:256,relative; content:!"/"; within:256; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 15364 EXPLOIT Ganglia Meta Daemon process_path stack buffer overflow attempt www.mail-archive.com/ganglia-developers@lists.sourceforge.net/msg04929.html 25898 attempted-admin 2007-4568 tcp $EXTERNAL_NET any -> $HOME_NET 7100 flow:to_server,established; content:"|12 01 03 00|<|00 00 00|AAAA"; fast_pattern:only; metadata:policy security-ips drop, service font-service; classtype:attempted-admin; 15382 SPECIFIC-THREATS X.Org X Font Server QueryXBitmaps and QueryXExtents Handlers integer overflow attempt attempted-admin 2009-0093 udp $EXTERNAL_NET any -> $HOME_NET 53 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15386, service dns, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 15386 BAD-TRAFFIC wpad dynamic update request www.microsoft.com/technet/security/bulletin/MS09-008.mspx 10386 attempted-user 2004-0397 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"get-dated-rev"; pcre:"/get-dated-rev\x20\x28\x20\d{1,4}\x3a([^T\x2d\x3a]{9}|[^\x2d]{4}\x2d[^\x2d]{3}|[^\x2d]{4}\x2d[^\x2d]{2}\x2d[^\x2d]{3})/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15388 EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow over http attempt 24165 attempted-admin 2007-2881 tcp $EXTERNAL_NET any -> $HOME_NET 1080 flow:to_server,established; content:"|01 06|"; depth:2; content:"PPPPPPPPPPPPXXXXXXXXXXXX"; metadata:policy security-ips drop; classtype:attempted-admin; 15422 SPECIFIC-THREATS Sun One web proxy server overflow attempt sunsolve.sun.com/search/document.do?assetkey=1-26-102927-1 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".maki"; nocase; http_uri; flowbits:set,maki_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15426 WEB-CLIENT MAKI file request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".svg"; nocase; http_uri; flowbits:set,svg_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15427 WEB-MISC SVG file request 34235 attempted-user 2009-1169 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<xsl|3A|key name=|22|label|22| match=|22|item2|22| use=|22|w00t|28 29 22|/>"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15431 SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt www.mozilla.org/security/announce/2009/mfsa2009-12.html 34134 attempted-user 2009-0920 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/OVCgi/Toolbar.exe"; nocase; http_uri; content:"Cookie"; nocase; http_cookie; content:"OvOSLocale"; http_cookie; pcre:"/^Cookie\s*\x3a.*?OvOSLocale\s*\x3d\s*[^\x3b\s]{249}/Cmi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15434 WEB-MISC HP OpenView Network Node Manager OvOSLocale parameter buffer overflow attempt 34077 attempted-admin 2008-4563 tcp $EXTERNAL_NET any -> $HOME_NET 1500 flow:to_server,established; content:"*|A5|"; byte_test:2,>,0x41,19,relative,big; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15436 EXPLOIT IBM Tivoli Storage Manager Express Backup counter heap corruption attempt www-01.ibm.com/support/docview.wss?uid=swg21377388 34077 attempted-admin 2008-4563 tcp $EXTERNAL_NET any -> $HOME_NET 1500 flow:to_server,established; content:"*|A5|"; offset:4; byte_test:2,<,0x17,-4,relative,big; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15437 EXPLOIT IBM Tivoli Storage Manager Express Backup message length heap corruption attempt www-01.ibm.com/support/docview.wss?uid=swg21377388 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".caf"; nocase; http_uri; flowbits:set,caff_request; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15444 WEB-MISC Core Audio Format file download attempt attempted-user 2008-4014 tcp $EXTERNAL_NET any -> $HOME_NET 9700 flow:to_server,established; content:"GET /BPELConsole/default/activities.jsp"; depth:39; nocase; pcre:"/(\x3F|\x26)[^\x3D]*(\x27|%27)[^\x3D]*(\x3C|%3c)script(\x3E|%3e)/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 15445 ORACLE Oracle Application Server BPEL module cross site scripting attempt misc-attack 2009-0089 tcp $EXTERNAL_NET 443 -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|15456, service ssl, policy balanced-ips drop, policy security-ips drop; 15456 EXPLOIT WinHTTP SSL/TLS impersonation attempt www.microsoft.com/technet/security/bulletin/MS09-013.mspx attempted-user 2009-0084 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15457, service http, policy balanced-ips drop, policy security-ips drop; 15457 EXPLOIT DirectShow MJPEG arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-011.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:".asp"; nocase; flowbits:set,asp.upload; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 15471 WEB-CLIENT asp file upload attempted-user 2009-0237 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15475, service http, policy balanced-ips drop, policy security-ips drop; 15475 WEB-CLIENT ISA Server cross-site scripting attempt www.microsoft.com/technet/security/bulletin/MS09-016.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server; content:"X-Request-Kind-Code|3A|"; fast_pattern; nocase; http_header; metadata:policy security-ips drop, service http; classtype:misc-activity; 15476 SPYWARE-PUT Waledac spam bot HTTP POST request blogs.technet.com/mmpc/archive/2009/04/14/wheres-waledac.aspx misc-attack 2008-5457 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"JSESSIONID"; http_uri; isdataat:300,relative; pcre:"/JSESSIONID\x3d[^\x20\x26\x0a]{300}/smiU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-attack; 15477 EXPLOIT Oracle BEA WebLogic overlong JESSIONID buffer overflow attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15480, service http, policy balanced-ips drop, policy security-ips drop; 15480 WEB-CLIENT TRUFFLEHUNTER SFVRT-1003 attack attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server; content:"/w/update.dat"; nocase; http_uri; content:"Host|3A| chartseye.cn"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15481 BOTNET-CNC Zeus/Zbot malware config file download request www.viruslist.com/en/viruses/encyclopedia?virusid=21782783 26146 attempted-user 2007-5544 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Content-Disposition|3A| attachment|3B|"; content:"filename=|22|poc.doc|22|"; distance:0; content:"Mb4AAACr"; distance:0; content:"WnoHAQQABAAAAAUAtQFUaGlzIGlzIGEgdGVzdA0K"; distance:0; content:"/wAB5kBBQUFB//8"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; 15485 SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow 10386 attempted-user 2004-0397 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"dated-rev-report"; nocase; content:"<D|3A|CREATIONDATE>XXXXXXX"; fast_pattern:only; metadata:policy security-ips drop; classtype:attempted-user; 15491 EXPLOIT Subversion 1.0.2 dated-rev-report buffer overflow attempt attempted-user 2009-1129 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,ppt.download; metadata: engine shared, soid 3|15499, service http, policy balanced-ips drop, policy security-ips drop; 15499 WEB-CLIENT PowerPoint 95 converter CString in ExEmbed container buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15503, service http, policy balanced-ips drop, policy security-ips drop; 15503 WEB-CLIENT Download of PowerPoint 95 file www.microsoft.com/technet/security/bulletin/MS09-017.mspx attempted-user 2009-1137 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15504, service http, policy balanced-ips drop, policy security-ips drop; 15504 WEB-CLIENT Download of PowerPoint 4.0 file www.microsoft.com/technet/security/bulletin/MS09-017.mspx denial-of-service 2009-0172 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:to_server,established; content:"|10|A"; depth:2; offset:8; byte_jump:2, -10, relative; content:"|10|n"; within:2; distance:6; metadata:policy balanced-ips drop, policy security-ips drop; classtype:denial-of-service; 15509 DOS IBM DB2 database server CONNECT denial of service attempt 35017 attempted-admin 2009-1252 udp $EXTERNAL_NET 123 -> $HOME_NET 123 flow:to_server; dsize:> 200; content:"|01|"; depth:1; offset:49; byte_test:4,>,200,14,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service ntp; classtype:attempted-admin; 15514 EXPLOIT Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".avi"; nocase; http_uri; flowbits:set,http.avi; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15516 WEB-CLIENT AVI multimedia file request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".eot"; nocase; http_uri; flowbits:set,eot.download; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-activity; 15518 WEB-MISC Embedded Open Type Font download request protocol-command-decode 2009-0228 tcp $EXTERNAL_NET [139,445] -> $HOME_NET any gid:3; classtype:protocol-command-decode; metadata: engine shared, soid 3|15523, service netbios-ssn, policy balanced-ips drop, policy security-ips drop; 15523 EXPLOIT srvsvc NetrShareEnum netname overflow attempt www.microsoft.com/technet/security/bulletin/MS09-022.mspx attempted-user 2009-1528 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15534, service http, policy balanced-ips drop, policy security-ips drop; 15534 WEB-CLIENT IE XML HttpRequest race condition exploit attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx attempted-user 2009-1529 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15535, service http, policy security-ips drop; 15535 WEB-CLIENT IE setCapture heap corruption exploit attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx attempted-user 2009-1530 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15536, service http, policy balanced-ips drop, policy security-ips drop; 15536 WEB-CLIENT IE invalid object modification exploit attempt www.microsoft.com/technet/security/bulletin/MS09-019.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mrow_pin/?id"; nocase; http_uri; pcre:"/\x2Fmrow\x5Fpin\x2F\x3Fid\d+[a-z]{5,}\d{5}\x26rnd\x3D\d+/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15553 BOTNET-CNC Sality virus HTTP GET request www.threatexpert.com/report.aspx?md5=b61aaef4d4dfbddbd8126c987fb77374 34461 attempted-admin 2009-0993 tcp $EXTERNAL_NET any -> $HOME_NET [6000:6199] flow:to_server,established; content:"HTTP"; nocase; pcre:"/^(GET|POST|HEAD)\s+[^\x25]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i"; metadata:policy security-ips drop; classtype:attempted-admin; 15554 ORACLE Oracle Application Server 10g OPMN service format string vulnerability exploit attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html 34672 attempted-admin 2009-1430 tcp $EXTERNAL_NET any -> $HOME_NET 38292 flow:to_server,established; content:"|FF FF FF FF FF FF FF FF|"; depth:8; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; content:"|03|"; within:1; distance:23; content:"BIND"; within:4; distance:8; content:"BIND|00|"; within:5; distance:17; fast_pattern; byte_test:2,>,0x400,0,relative,big; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15555 EXPLOIT Symantec Alert Management System Intel Alert Originator Service buffer overflow attempt www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090428_02 34675 attempted-admin 2009-1431 tcp $EXTERNAL_NET any -> $HOME_NET 12174 flow:to_server,established; content:"|00 00 00 00|"; depth:4; pcre:"/^\x00\x00\x00\x00.{2}(\x2f{2}|\x5c{2}|([A-F0-9\x21\x23-\x27\x2a\x2b\x2d\x2f\x3d\x3f\x5e\x5f\x60\x7b-\x7e]+\x2e){2})/si"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15556 EXPLOIT Symantec Alert Management System Intel File Transfer Service arbitrary program execution attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"GET /cgi-bin/generator.pl HTTP/1.0|0D 0A|User-Agent|3A| "; http_header; content:"1|3B|7017|3B|"; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15563 SPYWARE-PUT RSPlug Trojan server connection attempt www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; 15564 SPYWARE-PUT RSPlug Trojan file download attempt www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|23|!/bin/sh"; nocase; content:"<|22|!0<FEM87|29|Y4V5R=FEC92!|5C 28|'-E9|22|`"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; 15565 SPYWARE-PUT RSPlug Trojan file download attempt www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gumblar.cn"; fast_pattern; nocase; http_uri; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15566 SPYWARE-PUT Gumblar HTTP GET request attempt www.us-cert.gov/current/archive/2009/06/01/archive.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/martuz.cn"; fast_pattern; nocase; http_uri; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15567 SPYWARE-PUT Martuz HTTP GET request attempt www.us-cert.gov/current/archive/2009/06/01/archive.html 33072 attempted-dos tcp $HOME_NET any -> $EXTERNAL_NET 2775 flow:established,to_server; content:"|02|03|3A|"; content:"|09|052|3A|2|09|"; distance:0; content:"|09|033|3A|"; pcre:"/\x09033\x3a(?=[^\s]+\x40[^\s]+)[^\x20\x09]{33}/"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 15572 DOS Curse of Silence Nokia SMS DoS attempt 33059 attempted-admin 2008-5911 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"SET_PARAMETER"; depth:13; content:"DataConvertBuffer"; distance:0; nocase; pcre:"/\x0a\x0d?\x0a[A-Z0-9\x2b\x2f\s]*[^A-Z0-9\x2b\x2f\s\x3d]/iR"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15573 EXPLOIT RealNetworks Helix Server RTSP SET_PARAMETER heap buffer overflow attempt 12220 attempted-dos 2005-0097 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:to_server,established; content:"Proxy-Authorization|3A| NTLM TlRMTVNTUAADAAAAGAAYAFcAAAAYABgAbwAAAAQABABIAAAABwAHAEwAAAAEAAQAUwAAAAAAAACHAAAABoIAAgUAkwgAAAAPQUxJRgNTVE9JQU5BTElG0rctVCv8MHcFVYLyVeJ+Bz+VWpKGpuw68j7CBi5V2JlRVrF65wtddQTYeTHCnpF3"; http_header; metadata:policy security-ips drop, service http; classtype:attempted-dos; 15579 SPECIFIC-THREATS Squid NTLM fakeauth_auth Helper denial of service attempt 12412 bad-unknown 2005-0241 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content-Length|3A| 3|0D 0A|Server|3A| AAAAAA"; http_header; metadata:policy security-ips drop, service http; classtype:bad-unknown; 15580 SPECIFIC-THREATS Squid oversized reply header handling exploit attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".arj"; nocase; http_uri; flowbits:set,arj_file.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 15582 WEB-MISC ARJ format file download attempt 12515 attempted-user 2005-0350 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,arj_file.request; content:"|0A|`|EA|"; pcre:"/\x0a\x0d?\x0a\x60\xea(.{36}[^\x00]{256}|.+\x60\xea.{32}[^\x00]{256})/s"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15583 WEB-CLIENT F-Secure AntiVirus library heap overflow attempt protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".ppt"; nocase; http_uri; flowbits:set,http.ppt; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 15586 WEB-CLIENT Powerpoint file download request attempted-user 2009-0566 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15681, service http, policy balanced-ips drop, policy security-ips drop; 15681 EXPLOIT Publisher 2007 file format arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-030.mspx attempted-user 2009-1135 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15683, service http, policy balanced-ips drop, policy security-ips drop; 15683 WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt www.microsoft.com/technet/security/bulletin/MS09-031.mspx attempted-user 2009-0231 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,eot.download; metadata: engine shared, soid 3|15693, service http, policy balanced-ips drop, policy security-ips drop; 15693 WEB-CLIENT Embedded Open Type Font malformed name table overflow attempt www.microsoft.com/technet/security/bulletin/MS09-029.mspx attempted-user 2009-0232 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,eot.download; metadata: engine shared, soid 3|15694, service http, policy balanced-ips drop, policy security-ips drop; 15694 WEB-CLIENT Embedded Open Type Font malformed name table integer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-029.mspx attempted-user 2009-0232 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,eot.download; metadata: engine shared, soid 3|15695, service http, policy security-ips drop; 15695 WEB-CLIENT Embedded Open Type Font malformed name table platform type 3 integer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-029.mspx 35668 attempted-admin 2009-0692 udp $HOME_NET [67,68] -> $HOME_NET [67,68] gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15700, policy balanced-ips drop, policy security-ips drop; 15700 EXPLOIT dhclient subnet mask option buffer overflow attempt 35267 attempted-user 2009-1420 tcp $EXTERNAL_NET any -> $HOME_NET 3443 flow:to_server,established; content:"/OvCgi/webappmon.exe"; nocase; content:"act=rping"; distance:0; nocase; pcre:"/sel\x3d[^\x26\x0a]{73}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15726 EXPLOIT HP OpenView Network Node Manager URI rping stack buffer overflow attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"tip"; nocase; content:"&cli"; distance:0; nocase; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15730 BOTNET-CNC Delf Trojan POST attempt www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1 attempted-dos 2009-0696 udp $EXTERNAL_NET any -> $HOME_NET 53 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|15734, policy balanced-ips drop, policy security-ips drop, service dns; 15734 BAD-TRAFFIC BIND named 9 dynamic update message remote dos attempt www.isc.org/software/bind/advisories/cve-2009-0696 attempted-user 2009-1133 tcp $EXTERNAL_NET 3389 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15850, policy balanced-ips drop, policy security-ips drop; 15850 EXPLOIT Remote Desktop orderType remote code execution attempt www.microsoft.com/technet/security/bulletin/MS09-044.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".mp4"; nocase; http_uri; flowbits:set,http.mp4; flowbits:noalert; metadata:service http; classtype:misc-activity; 15865 WEB-CLIENT MP4 file request 31126 attempted-user 2008-3529 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<!ENTITY"; isdataat:200,relative; pcre:"/\x3c\x21ENTITY\s*[^\s\x3e]{200}/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15866 WEB-CLIENT libxml2 XML file processing long entity name buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".4xm"; nocase; http_uri; flowbits:set,4xm.request; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 15870 WEB-MISC 4xm file request 33502 attempted-user 2009-0385 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,4xm.request; content:"strk|28 00 00 00|"; byte_test:4,>,0x7ffffffe,0,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 15871 WEB-CLIENT FFmpeg 4xm processing memory corruption attempt 35758 attempted-user 2009-2469 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:".watch|28|"; nocase; content:"__defineSetter__|28|"; nocase; pcre:"/(?P<obj>\w+)\.watch\((?P<q1>\x22|\x27|)(?P<prop>[A-Z0-9\x2d\x5f]+)(?P=q1).*(?P=obj)\.__defineSetter__\((?P<q2>\x22|\x27|)(?P=prop)(?P=q2)/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15872 WEB-CLIENT Firefox defineSetter function pointer memory corruption attempt 35803 misc-attack 2009-2654 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"window.open|28|"; nocase; pcre:"/window\x2Eopen\x28(\x22[^\x22]+(\x25[^0-9a-f]|\x2C)|\x27[^\x27]+(\x25[^0-9a-f]|\x2C))/smi"; metadata:policy security-ips alert, service http; classtype:misc-attack; 15873 WEB-CLIENT Firefox location spoofing via invalid window.open characters attempted-admin 2008-0127 tcp $EXTERNAL_NET any -> $HOME_NET 1718 flow:to_server,established; content:"|01|?/|05|%*"; depth:6; pcre:"/^\x01\x3F\x2F\x05\x25\x2A[^\x0D\x0A]{300}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 15882 EXPLOIT McAfee E-Business Server remote preauth code execution attempt www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06 27613 attempted-admin 2008-0621 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|01|"; depth:1; content:!"|0A|"; within:400; metadata:policy security-ips drop, service ldp; classtype:attempted-admin; 15883 EXPLOIT SAPLPD 0x01 command buffer overflow attempt 27613 attempted-admin 2008-0621 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|02|"; depth:1; content:!"|0A|"; within:400; metadata:policy security-ips drop, service ldp; classtype:attempted-admin; 15884 EXPLOIT SAPLPD 0x02 command buffer overflow attempt 27613 attempted-admin 2008-0621 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|03|"; depth:1; content:" "; distance:0; content:!"|0A|"; within:2000; metadata:policy security-ips drop, service ldp; classtype:attempted-admin; 15885 EXPLOIT SAPLPD 0x03 command buffer overflow attempt 27613 attempted-admin 2008-0621 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; isdataat:400; content:"|05|"; depth:1; content:!" "; within:400; metadata:policy security-ips drop, service ldp; classtype:attempted-admin; 15887 EXPLOIT SAPLPD 0x05 command buffer overflow attempt 27613 attempted-dos 2008-0621 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"S"; depth:1; dsize:<4; metadata:policy security-ips drop, service ldp; classtype:attempted-dos; 15892 DOS SAPLPD 0x53 command denial of service attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".aiff"; nocase; http_uri; flowbits:set,aiff_file.request; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15898 WEB-MISC Audio Interchange File Format download request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".aif"; nocase; http_uri; flowbits:set,aiff_file.request; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15899 WEB-MISC Audio Interchange File Format file request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".aifc"; nocase; http_uri; flowbits:set,aiff_file.request; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15900 WEB-MISC Audio Interchange File Format request 19409 attempted-user 2006-3439 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|C7 0B|GGGG|81|7"; content:"u|F4|"; within:2; distance:4; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 15902 SHELLCODE x86 win2k-2k3 decoder base shellcode misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".mp3"; nocase; http_uri; flowbits:set,http.mp3; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 15922 WEB-CLIENT mp3 file download request trojan-activity tcp $HOME_NET 27374 -> $EXTERNAL_NET any flow:to_client,established; content:"connected."; nocase; content:"Legends"; distance:0; fast_pattern; nocase; pcre:"/^connected\x2e[^\x0D\x0A]*20\d\d[^\x0D\x0A]*ver\x3A\s+Legends\s2\x2e1/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 15938 BOTNET-CNC Backdoor SubSeven client connection to server www.threatexpert.com/report.aspx?md5=da8d7529a8a37335064ade9d04df08ad 23085 attempted-admin 2007-1560 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:to_server,established; content:"TRACE"; depth:5; content:"Max-Forwards|3A| 0|0D 0A|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-admin; 15941 DOS Squid Proxy TRACE request remote DoS attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".rss"; nocase; http_uri; flowbits:set,rss.download; flowbits:noalert; metadata:policy security-ips alert, service http; classtype:misc-activity; 15945 WEB-CLIENT RSS file download request 12832 attempted-user 2005-0644 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"-lh0-"; content:"|02 C9 C5|M|88 00 02|DDDD"; within:11; distance:13; metadata:policy security-ips drop, service http; classtype:attempted-user; 15950 SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt 13727 attempted-recon 2005-1252 tcp $EXTERNAL_NET any -> $HOME_NET 8484 flow:to_server,established; content:"GET /what.jsp?|5C|..|5C|.."; metadata:policy security-ips drop, service http; classtype:attempted-recon; 15953 WEB-MISC Ipswitch IMail Calendaring arbitrary file read attempt 13978 attempted-dos 2005-1266 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Content-Type|3A| hello|3B|"; fast_pattern:only; metadata:policy security-ips drop, service smtp; classtype:attempted-dos; 15954 SPECIFIC-THREATS SpamAssassin malformed email header DoS attempt 13420 attempted-admin 2005-1382 tcp $EXTERNAL_NET any -> $HOME_NET 4000 flow:to_server,established; content:"webcacheadmin?"; content:"SCREEN_ID=CGA.CacheDump"; content:"ACTION=Submit&index=1"; content:"cache_dump_file="; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 15955 ORACLE Application Server 9i Webcache file corruption attempt 14270 attempted-dos 2005-1530 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"PK|03 04|"; content:"|0C 00|"; within:2; distance:4; content:"-|00 00 00 F9 00 00 00 05 00 FF FF|"; within:12; distance:8; metadata:policy security-ips drop, service http; classtype:attempted-dos; 15957 WEB-CLIENT Sophos Anti-Virus zip file handling DoS attempt 14715 attempted-recon 2005-2020 tcp $EXTERNAL_NET any -> $HOME_NET 21700 flow:to_server,established; content:"GET"; depth:3; content:"../../boot.ini"; within:14; distance:23; metadata:policy security-ips drop, service http; classtype:attempted-recon; 15961 SPECIFIC-THREATS 3Com Network Supervisor directory traversal attempt 14287 attempted-user 2005-2297 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/WebConsole/Login.jsp|3B EA EA EA EA EA EA EA EA|"; http_uri; metadata:policy security-ips drop, service http; classtype:attempted-user; 15962 SPECIFIC-THREATS Sybase EAServer WebConsole overflow attempt 10243 attempted-user 2004-0234 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"!|C3|-lh0-|18 00 00 00 05 00 00 00 FA BB|m0 |01 08|testfile|F8 1B|U|05 00|P|B4 81 94 01 01|UUUU"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15966 SPECIFIC-THREATS F-Secure Anti-Virus LHA processing buffer overflow attempt misc-attack 2004-0362 udp any any -> any 5190 flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:policy security-ips drop; classtype:misc-attack; 15967 SPECIFIC-THREATS ICQ SRV_MULTI/SRV_META_USER overflow attempt www.eeye.com/html/Research/Advisories/AD20040318.html 31193 attempted-admin 2008-2468 tcp $EXTERNAL_NET any -> $HOME_NET 12175 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|15968, policy balanced-ips drop, policy security-ips drop; 15968 EXPLOIT LANDesk Management Suite QIP service heal packet buffer overflow attempt community.landesk.com/support/docs/DOC-3276 11039 attempted-dos 2004-0369 udp $EXTERNAL_NET any -> $HOME_NET 500 flow:to_server; content:"|A8|`|87|o|15 A9|0|F4 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00|0|00 00 00 14 00 00 00 01 00 00 00 05 00 00 7F FF|"; metadata:policy security-ips drop; classtype:attempted-dos; 15969 SPECIFIC-THREATS Symantec Multiple Products ISAKMPd denial of service attempt 10519 attempted-admin 2004-0413 tcp $EXTERNAL_NET any -> $HOME_NET 3690 flow:to_server,established; content:"|28| 2 |28| edit-pipeline |29| 4294967295|3A|AAAA"; metadata:policy security-ips drop; classtype:attempted-admin; 15970 SPECIFIC-THREATS Subversion svn pProtocol string parsing heap overflow attempt 11245 attempted-user 2004-0646 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:".jsp"; http_uri; content:"HOST"; nocase; pcre:"/^HOST\s*\x3a\s*[^\x0a]{1000}/mi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15978 WEB-MISC Macromedia JRun 4 mod_jrun buffer overflow attempt 11051 attempted-user 2004-0797 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"x|9C 85 C1 B9 11 80|0|10 04|A|EC A9 9A A0 C4|+|1E 91 7F FE D8 EB|p|DD AD FD 93 B9| KA|D6 82|l|05 D9 0B|r|14 A4|'9|93 5C|I|EE 24|O|92 91 E4|M2}yw[|86|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 15981 SPECIFIC-THREATS zlib Denial of Service 11110 attempted-dos 2004-0799 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"prn"; http_uri; pcre:"/^(GET|POST)\s+[^\x0a]*?\x2fprn\x2e(htm|html|asp|cgi)/i"; metadata:policy security-ips drop, service http; classtype:attempted-dos; 15982 WEB-MISC Ipswitch WhatsUp Gold DOS Device HTTP request denial of service attempt 11281 misc-attack 2004-0815 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"|5C 00|/|00|.|00|/|00|/|00|/|00|/|00|/|00|e|00|t|00|c|00|/|00|h|00|o|00|s|00|t|00|s|00|.|00|d|00|e|00|n|00|y|00 00 00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:misc-attack; 15983 SPECIFIC-THREATS Samba arbitrary file access exploit attempt 11055 attempted-dos 2004-0829 tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|05 00 00 03 10 00 00 00 BC 00 00 00 01 00 00 00 A4 00 00 00 00 00|E|00 28 91|9|00 15 00 00 00 00 00 00 00 15 00 00 00 5C 00 5C 00|s|00|l|00|a|00|w|00|e|00|k|00|.|00|v|00|r|00|t|00 5C 00|p|00|r|00|i|00|n|00|t|00|e|00|r|00 00 00|"; metadata:policy security-ips drop, service netbios-ssn; classtype:attempted-dos; 15984 SPECIFIC-THREATS Samba Printer Change Notification Request DoS attempt 11678 misc-attack 2004-0882 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"|FF|SMB-|00 00 00 00 08 01 C8 00 00 00 00 00 00 00 00 00 00 00 00 01 00 92|<d|00 07 00 0F FF 00 00 00 00 00|@|00 06 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00|%|04 00 5C 00|t|00|e|00|s|00|t|00 5C 00|A"; metadata:policy security-ips drop, service netbios-ssn; classtype:misc-attack; 15986 SPECIFIC-THREATS Samba unicode filename buffer overflow attempt 36091 attempted-dos 2009-2855 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:to_server,established; content:"Cookie|3A| user=va,lue|0A|"; http_header; metadata:policy security-ips drop, service http; classtype:attempted-dos; 15994 SPECIFIC-THREATS Squid strListGetItem denial of service attempt attempted-user 2008-0011 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15995, service http, policy balanced-ips drop, policy security-ips drop; 15995 EXPLOIT malformed avi file mjpeg compression arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS08-033.mspx 20971 attempted-admin 2006-5782 tcp $EXTERNAL_NET any -> $HOME_NET 3465 flow:to_server,established; content:"8899|00|test|00|test|00|radcrecv.exe|0A|"; metadata:policy security-ips drop; classtype:attempted-admin; 15998 SPECIFIC-THREATS HP OpenView Client Configuration Manager Radia Notify Daemon code execution attempt 22207 attempted-user 2007-0462 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|00 9A 00 00 00 FF 80|P|00 00 00 00 00 14 00 14 00 02|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16001 SPECIFIC-THREATS Apple QuickDraw PICT images ARGB records handling memory corruption attempt 28468 attempted-user 2008-1705 tcp $EXTERNAL_NET any -> $HOME_NET [1315,2315] flow:to_server,established; content:"|04 00 00 00|nnnn|04 00 00 00|aaaa|D2 07 00 00 14 00 00 00|%n%n%n%n%n%n%n%n%n%n"; metadata:policy security-ips drop; classtype:attempted-user; 16013 SPECIFIC-THREATS IBM solidDB logging function format string exploit attempt attempted-user 2007-1658 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"href=3D|22|c|3A|/windows/system32/winrm?|5C|wmicimv2/Win32_Service?Name=3Dspooler|22|=|0D 0A|>Click=20|0D 0A|here!"; nocase; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 16022 SPECIFIC-THREATS Windows Vista Windows mail file execution attempt www.microsoft.com/technet/security/bulletin/ms07-034.mspx attempted-user 2007-1658 tcp $EXTERNAL_NET [110,143] -> $HOME_NET any flow:to_client,established; content:"href=3D|22|c|3A|/windows/system32/winrm?|5C|wmicimv2/Win32_Service?Name=3Dspooler|22|=|0D 0A|>Click=20|0D 0A|here!"; nocase; metadata:policy security-ips drop; classtype:attempted-user; 16023 SPECIFIC-THREATS Windows Vista Windows mail file execution attempt www.microsoft.com/technet/security/bulletin/ms07-034.mspx 20316 attempted-admin 2006-4511 tcp $EXTERNAL_NET any -> $HOME_NET 8300 flow:established,to_server; content:"POST /login"; depth:11; nocase; content:"tag=NM_A_PARM1&cmd=0&val="; distance:0; fast_pattern; nocase; metadata:policy security-ips drop; classtype:attempted-admin; 16028 SPECIFIC-THREATS Groupwise Messenger parameters invalid memory access 18290 attempted-user 2006-2447 tcp $EXTERNAL_NET any -> $HOME_NET 783 flow:to_server,established; content:"user"; fast_pattern:only; pcre:"/^user\s*\x3a[^\r\n]*[\x3b\x26\x7c]/mi"; metadata:policy security-ips drop; classtype:attempted-user; 16040 EXPLOIT SpamAssassin spamd vpopmail and paranoid options code execution attempt 16764 attempted-dos 2006-0300 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"GNU.sparse.numblocks="; nocase; pcre:"/GNU\x2esparse\x2enumblocks\s*\x3d\s*(0|[6-9]\d{4})/smi"; metadata:policy security-ips drop, service http; classtype:attempted-dos; 16053 WEB-CLIENT GNU tar PAX extended headers handling overflow attempt 17637 attempted-recon 2006-0230 tcp $EXTERNAL_NET any -> $HOME_NET [8004,8005] flow:to_server,established; content:"<key mod=|22|784607708866"; content:"pub=|22|75429754206"; metadata:policy security-ips drop, service http; classtype:attempted-recon; 16056 WEB-MISC Symantec Scan Engine authentication bypass attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".xpm"; fast_pattern; nocase; http_uri; flowbits:set,http.xpm; flowbits:noalert; metadata:service http; classtype:misc-activity; 16061 MISC X PixMap file download 28198 attempted-admin 2008-0727 tcp $EXTERNAL_NET any -> $HOME_NET 1526 flow:established,to_server; content:"sq"; depth:2; pcre:"/^.{8}[^\s]+(\s+[^\s]+){49}/smOR"; metadata:policy security-ips drop; classtype:attempted-admin; 16069 EXPLOIT IBM Informix server argument processing overflow attempt 27352 attempted-user 2008-0006 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|01|fcp|08 00 00 00 01 00 00 00 0E 00 00 00 A0 02 00 00|"; nocase; metadata:policy security-ips drop; classtype:attempted-user; 16070 SPECIFIC-THREATS X.org PCF parsing buffer overflow attempt 28307 attempted-admin 2008-0047 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:established,to_server; content:"/?query=.........."; nocase; metadata:policy security-ips drop; classtype:attempted-admin; 16072 SPECIFIC-THREATS CUPS server query metacharacter buffer overflow attempt 10454 attempted-admin 2004-0536 udp $EXTERNAL_NET any -> $HOME_NET 2049 flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 00 00 09|"; within:4; distance:12; content:"|CA BA EB FE CB|F|00 00 02 00 00 00 08 03 00 00 08 03 00 00 CB|F|00 00 AF|H|C3 8E 00 00 00 00 00 00 00 07|asd%nmv"; metadata:policy security-ips drop; classtype:attempted-admin; 16076 SPECIFIC-THREATS Tripwire format string vulnerability nfs exploit attempt 10546 attempted-user 2004-0607 udp $EXTERNAL_NET any -> $HOME_NET 500 flow:to_server; content:"|AA FF|Fk|09 89 01 B9 B2 F4 E2|^Pdx|17 05 10 02 01 00 00 00 00|"; depth:24; metadata:policy security-ips drop; classtype:attempted-user; 16080 SPECIFIC-THREATS KAME racoon X509 certificate verification bypass attempt 12269 misc-attack 2005-0218 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<a href=|22|data|3A|application/octet-stream|3B|base64,WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=|22|>"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:misc-attack; 16087 SPECIFIC-THREATS Multiple vendor AV gateway virus detection bypass attempt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"GHOST|0D 0A|"; depth:7; nocase; flowbits:set,BugsPrey_detection; flowbits:noalert; classtype:trojan-activity; 16093 BACKDOOR bugsprey runtime detection - initial connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ljs.txt"; nocase; http_uri; content:"winssco.exe"; nocase; http_header; pcre:"/User-Agent\x3a[^\r\n]*winssco\x2eexe/iH"; metadata:policy security-ips drop, service http; classtype:trojan-activity; 16098 BACKDOOR win32.cekar variant runtime detection vil.nai.com/vil/content/v_141463.htm trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"v1ct1m"; depth:6; nocase; flowbits:set,LostDoor3_InitConn; flowbits:noalert; classtype:trojan-activity; 16103 BACKDOOR lost door 3.0 runtime detection - init trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"Sin"; depth:3; nocase; pcre:"/^Sin[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; flowbits:set,SynRat2.1_initconn; flowbits:noalert; classtype:trojan-activity; 16106 BACKDOOR synrat 2.1 pro runtime detection - init trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 8392 flow:established,to_server; content:"|00 00|O|95 00 00 00 04|echo"; depth:12; metadata:policy security-ips drop; classtype:trojan-activity; 16140 BACKDOOR torpig-mebroot command and control checkin www.f-secure.com/weblog/archives/00001393.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"controller|2E|php|3F|action|3D|"; nocase; http_uri; content:"entity_list|3D|"; nocase; http_uri; content:"rnd|3D|"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16144 SPYWARE-PUT Bredolab bot contact to C&C server attempt www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f attempted-user 2009-0555 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16157, service http, policy balanced-ips drop, policy security-ips drop; 16157 WEB-CLIENT malformed ASF voice codec memory corruption www.microsoft.com/technet/security/Bulletin/MS09-051.mspx attempted-user 2009-2525 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16158, service http, policy balanced-ips drop, policy security-ips drop; 16158 WEB-CLIENT malformed ASF codec memory corruption www.microsoft.com/technet/security/Bulletin/MS09-051.mspx misc-attack 2009-2510 tcp $EXTERNAL_NET 443 -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|16180, service ssl, policy security-ips drop; 16180 WEB-CLIENT Windows CryptoAPI common name spoofing attempt www.microsoft.com/technet/security/Bulletin/MS09-056.mspx attempted-user 2009-2511 tcp $EXTERNAL_NET 443 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16181, service ssl, policy balanced-ips drop, policy security-ips drop; 16181 WEB-CLIENT Windows CryptoAPI ASN.1 integer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-056.mspx attempted-user 2009-0084 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16187, service http, policy balanced-ips drop, policy security-ips drop; 16187 EXPLOIT DirectShow MJPEG arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-011.mspx 35672 attempted-admin 2009-1977 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"login.php?"; nocase; http_uri; content:"attempt="; nocase; http_uri; content:"uname="; nocase; http_uri; pcre:"/uname\x3d[^\x26]*[\x3c\x3e]/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16191 ORACLE Oracle Secure Backup Administration server authentication bypass attempt - via GET www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html 35672 attempted-admin 2009-1977 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"login.php"; nocase; http_uri; content:"attempt="; nocase; http_client_body; content:"uname="; nocase; http_client_body; pcre:"/uname\x3d[^\x26]*\x253[CE]/iP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16192 ORACLE Oracle Secure Backup Administration server authentication bypass attempt - via POST www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html misc-activity 2008-0457 tcp $EXTERNAL_NET any -> $HOME_NET 8443 flow:to_server,established; content:"|17 03 00 02 01 87 09|k]dg]|86|T|D0 F4|'|EF|+2|CA A3 D3 FA 97 AA|@|14 ED|'|15 D2 9B 06 EA 07 09|}|B8 D2|ai|CD|mtR|F9 8A|"; depth:48; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; classtype:misc-activity; 16196 SPECIFIC-THREATS Symantec Backup Exec System Recovery Manager unauthorized file upload attempt 30013 attempted-dos 2008-2952 tcp $EXTERNAL_NET any -> $HOME_NET 389 flow:to_server,established; content:"|1F 80 80 00 84|aaaa"; depth:9; metadata:policy security-ips drop, service ldap; classtype:attempted-dos; 16197 SPECIFIC-THREATS OpenLDAP ber_get_next BER decoding denial of service attempt 15373 attempted-dos 2005-3351 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:" b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A|"; metadata:policy security-ips drop, service smtp; classtype:attempted-dos; 16199 SPECIFIC-THREATS SpamAssassin long message header denial of service attempt 14888 attempted-user 2005-2968 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"<a href=|22|http|3A|//`echo"; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 16200 SPECIFIC-THREATS Firefox command line URL shell command injection attempt 33668 attempted-user 2008-4562 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"ovlaunch.exe"; nocase; http_uri; content:"host|3A|"; nocase; isdataat:300,relative; pcre:"/^host\x3a\s*[^\r\n]{300}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16204 WEB-CLIENT HP OpenView Network Node Manager ovlaunch host field overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".bmp"; nocase; http_uri; flowbits:set,http.bmp; flowbits:noalert; metadata:policy security-ips alert, service http; classtype:misc-activity; 16205 WEB-MISC bitmap file download request 36015 attempted-dos 2009-2726 tcp $EXTERNAL_NET any -> $HOME_NET 5060 flow:to_server,established; content:"CSeq"; nocase; pcre:"/^\s*\x3a\s*\d{11}/R"; metadata:policy security-ips drop; classtype:attempted-dos; 16210 DOS Digium Asterisk SIP sscanf denial of service attempt 36015 attempted-dos 2009-2726 tcp $EXTERNAL_NET any -> $HOME_NET 5060 flow:to_server,established; content:"Content-Length"; nocase; pcre:"/^\s*\x3a\s*\d{11}/R"; metadata:policy security-ips drop; classtype:attempted-dos; 16211 DOS Digium Asterisk SIP sscanf denial of service attempt 36015 attempted-dos 2009-2726 tcp $EXTERNAL_NET any -> $HOME_NET 5060 flow:to_server,established; content:"rtpmap"; nocase; pcre:"/^\s*\x3a\s*\d{11}/R"; metadata:policy security-ips drop; classtype:attempted-dos; 16212 DOS Digium Asterisk SIP sscanf denial of service attempt 30869 attempted-admin 2008-2928 tcp $EXTERNAL_NET any -> $HOME_NET 9830 flow:to_server,established; content:"Accept-Language"; fast_pattern:only; pcre:"/^Accept-Language\s*\x3a\s*([^\x2c\x2d\n]+[\x2c\x2d]){16}/im"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 16213 EXPLOIT Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt 35812 denial-of-service 2009-2622 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"-100"; fast_pattern:only; content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:denial-of-service; 16214 DOS Squid Proxy invalid HTTP response code denial of service attempt attempted-user tcp $HOME_NET any -> $EXTERNAL_NET 7777 flow:to_server,established; content:"/sso/jsp/login.jsp?"; nocase; content:"site2pstoretoken"; distance:0; nocase; pcre:"/^GET\s+\x2Fsso\x2Fjsp\x2Flogin\x2Ejsp\x3F[^\s\x0D\x0A]*site2pstoretoken\x3D[^\x26\x0D\x0A]*(\x22|\x2522)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16215 ORACLE Oracle Application Server Portal cross site scripting attempt secunia.com/advisories/33761 34738 attempted-admin 2008-2438 tcp $EXTERNAL_NET any -> $HOME_NET 2954 flow:to_server,established; content:"45 10 10 1073741824 4 aaa"; metadata:policy security-ips drop; classtype:attempted-admin; 16217 SPECIFIC-THREATS HP OpenView Network Node Manager ovalarmsrv opcode 45 integer overflow attempted-user 2009-3678 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.bmp; metadata: engine shared, soid 3|16222, service http, policy balanced-ips drop, policy security-ips drop; 16222 WEB-CLIENT Malformed BMP dimensions arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS10-043.mspx attempted-user 2009-2512 tcp $EXTERNAL_NET any -> $HOME_NET [5357,5358] gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16227, policy balanced-ips drop, policy security-ips drop; 16227 WEB-MISC Web Service on Devices API 'WSDAPI' URL processing buffer corruption attempt www.microsoft.com/technet/security/bulletin/MS09-063.mspx attempted-admin 2009-2514 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; flowbits:isset,http.ttf; metadata: engine shared, soid 3|16232, service http, policy security-ips drop; 16232 WEB-CLIENT Windows TrueType font file parsing integer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-065.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/in.php"; http_uri; content:"url="; http_uri; content:"affid="; http_uri; flowbits:set,systemsecurity2009; flowbits:noalert; classtype:trojan-activity; 16254 BACKDOOR rogue software system security 2009 installtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 1503 flow:to_server,established; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; fast_pattern; flowbits:set,SRat_1.6; flowbits:noalert; classtype:trojan-activity; 16270 BACKDOOR srat 1.6 runtime detection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".ttf"; nocase; http_uri; flowbits:set,http.ttf; flowbits:noalert; metadata:policy security-ips alert, service http; classtype:misc-activity; 16286 WEB-MISC TrueType font file download request attempted-dos 2009-3676 tcp $EXTERNAL_NET 445 -> $HOME_NET any flow:to_client,established; content:"|00 00 00 9A FE|SMB"; depth:8; isdataat:126,relative; content:"|1E 00| LM `|1C|"; within:8; distance:118; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16287 SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt www.microsoft.com/technet/security/bulletin/MS10-020.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server; content:"/l1/ms32clod.dll"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16289 BACKDOOR Clob bot traffic www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724 14998 attempted-user 2005-3142 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,!&,0x0004,26,relative,little; pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16295 WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields 14998 attempted-user 2005-3142 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|0D 0A 0D 0A|MSCF"; byte_test:2,&,0x0003,26,relative,little; byte_test:2,&,0x0004,26,relative,little; byte_jump:2,32,relative,little; pcre:"/^.{2}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16296 WEB-CLIENT Kaspersky antivirus library heap buffer overflow - with optional fields 13120 attempted-user 2005-0553 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"createComment"; pcre:"/(\w+)\s*=\s*\w+\.createComment\(((\x22\x22|\x27\x27)|([A-z]\w*))\)\s*\;.*?\w+\.(insertBefore|insertAfter|appendChild)\(\1\)\;|\w\.(insertBefore|insertAfter|appendChild)\(\w+\.createComment\(((\x22\x22|\x27\x27)|([A-z]\w*))\)/s"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16300 WEB-CLIENT HTML DOM invalid DHTML comment creation attempt 10861 www.microsoft.com/technet/security/bulletin/ms05-020.mspx 37085 attempted-user 2009-4054 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"getElement"; nocase; content:"outerHTML"; nocase; content:"overflow"; fast_pattern; nocase; pcre:"/([^\s]+)\s*=\s*document\.getElement\w+\s*\x28\s*([\x22\x27])STYLE\2.*\1\.outerHTML/si"; pcre:"/\x7b[^\x7d]*(overflow[^\x7d]*margin\s*\x3a\s*0\s*\x3b|margin\s*\x3a\s*0\s*\x3b[^\x7d]*overflow)/si"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16310 WEB-CLIENT IE 6/7 outerHTML invalid reference arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-072.mspx 37085 attempted-user 2009-4054 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document.getElementsByTagName|28|'STYLE'|29|[0].outerHTML"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16311 WEB-CLIENT IE 6/7 single line outerHTML invalid reference arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/MS09-072.mspx 34671 attempted-admin 2009-1429 tcp $EXTERNAL_NET any -> $HOME_NET 12174 flow:to_server,established; content:"|00 00 00 00|"; depth:4; byte_test:5,>,0,0,relative,dec,string; pcre:"/^\x00{4}[\x30-\x39]+\x00[\x09\x20-\x7E]+\x00/"; metadata:policy security-ips drop; classtype:attempted-admin; 16332 EXPLOIT Symantec System Center Alert Management System arbitrary command execution attempt 37167 attempted-user 2009-3608 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"Type/ObjStm"; nocase; pcre:"/Type\x2FObjStm[^>]*?\x2FN\s+\d{7}/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16335 WEB-CLIENT xpdf ObjectStream integer overflow 33258 attempted-dos 2009-0173 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:to_server,established; content:"|24 14|"; byte_test:1,=,0xd0,-8,relative; byte_test:1,&,4,-7,relative; byte_test:1,!&,3,-7,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16341 EXPLOIT IBM DB2 Database Server invalid data stream denial of service attempt misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-activity; flowbits:isset,http.pdf; metadata: engine shared, soid 3|16343, service http, policy security-ips drop, policy balanced-ips drop; 16343 WEB-CLIENT obfuscated header in PDF www.adobe.com/devnet/acrobat/pdfs/PDF32000_2008.pdf 36588 attempted-user 2009-3691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"HostSize="; distance:0; byte_test:4,>,296,0,relative,dec,string; pcre:"/HostList=([^\r\n\x3B]{,296}\x3B)*[^\r\n\x3B]{297}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16345 WEB-CLIENT IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt 36588 attempted-user 2009-3691 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"[Setnet32]"; fast_pattern; nocase; content:"ServerSize="; distance:0; byte_test:4,>,293,0,relative,dec,string; pcre:"/InformixServerList=([^\r\n\x3B]{,293}\x3B)*[^\r\n\x3B]{294}/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16346 WEB-CLIENT IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt 36465 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"OggS"; content:"|82|theora"; distance:0; byte_test:1,!&,0xE0,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16353 WEB-CLIENT FFmpeg OGV file format memory corruption attempt secunia.com/advisories/36805 36703 attempted-user 2009-3604 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; content:"/Subtype"; content:"/Image"; within:20; content:"/FlateDecode"; pcre:"/\x3C{2}(?=[^\x3E]*\x2F(Height|Width)\s*\d{6})(?=[^\x3E]*\x2FFlateDecode)[^\x3E]*\x2FSubtype\s*\x2FImage/"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16355 WEB-CLIENT Xpdf Splash DrawImage integer overflow attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/evil/services/bid_register.php?BID="; nocase; http_uri; pcre:"/\x2Fevil\x2Fservices\x2Fbid_register\x2Ephp\x3FBID\x3D[A-Za-z]{6}\x26IP\x3D\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x26cipher\x3D[A-Za-z]{9}/smiU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16362 SPECIFIC-THREATS SpyForms malware call home attempt threatexpert.com/report.aspx?md5=acf30e13cbcf7eafc8475e976f7af3ec trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/nbok01/"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16365 SPECIFIC-THREATS Trojan OnlineGames download atttempt www.threatexpert.com/report.aspx?md5=6f489b3bd2ccbbf4ff8ad0c744f7be34 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 443 flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16368 BOTNET-CNC Hydraq/Aurora connection to C&C server attempt www.virustotal.com/analisis/9051f618a5a8253a003167e65ce1311fa91a8b70d438a384be48b02e73ba855c-1263878624 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16375, service ldap, policy security-ips drop; 16375 EXPLOIT LDAP object parameter name buffer overflow attempt 30935 attempted-dos 2008-3697 tcp $EXTERNAL_NET any -> $HOME_NET 8222 flow:to_server,established; content:"POST"; depth:4; nocase; content:".pl"; nocase; pcre:"/^content-length\s*\x3A/mi"; byte_test:10,>,49152,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16384 DOS VMware Server ISAPI Extension remote denial of service attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server; content:"user_id="; nocase; http_uri; content:"version_id="; nocase; http_uri; content:"passphrase="; http_uri; content:"socks="; nocase; http_uri; content:"version="; nocase; http_uri; content:"crc="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16391 BOTNET-CNC Gozi Trojan connection to C&C attempt www.virustotal.com/de/analisis/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99-1264446753 attempted-user 2010-0027 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16414, service http, policy balanced-ips drop, policy security-ips drop; 16414 WEB-CLIENT Windows Shell Handler remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-007.mspx attempted-user 2010-0028 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.jpeg; metadata: engine shared, soid 3|16422, service http, policy security-ips drop; 16422 EXPLOIT JPEG with malformed SOFx field www.microsoft.com/technet/security/bulletin/MS10-005 attempted-user 2010-0555 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16423, service http, policy balanced-ips drop, policy security-ips drop; 16423 WEB-CLIENT IE7/8 execute local file in Internet zone redirect attempt www.microsoft.com/technet/security/advisory/980088.mspx 37926 attempted-admin 2010-0073 tcp $EXTERNAL_NET any -> $HOME_NET 5556 flow:established,to_server; content:"EXECSCRIPT"; nocase; pcre:"/^EXECSCRIPT\s+\.\.[\x2F\x5C]\.\./smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 16438 ORACLE WebLogic Server Node Manager arbitrary command execution attempt www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| _TEST_"; http_header; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 16439 BOTNET-CNC Possible Zeus User-Agent - _TEST_ en.wikipedia.org/wiki/Zeus_(trojan_horse) trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| ie|0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 16440 BOTNET-CNC Possible Zeus User-Agent - ie en.wikipedia.org/wiki/Zeus_(trojan_horse) trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| Download|0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 16441 BOTNET-CNC Possible Zeus User-Agent - Download en.wikipedia.org/wiki/Zeus_(trojan_horse) attempted-admin 2008-1661 tcp $EXTERNAL_NET any -> $HOME_NET 1100 flow:to_server,established; content:"|00 02 00 01|'0"; depth:6; content:"|1E 00 00 00 01 00 01 00 00 01 F4|AAAAAAAAA"; within:20; distance:45; metadata:policy security-ips drop; classtype:attempted-admin; 16444 SPECIFIC-THREATS HP StorageWorks storage mirroring double take service code execution attempt h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01362558 28901 attempted-dos 2008-1897 udp $EXTERNAL_NET any -> $HOME_NET 4569 flow:to_server; content:"|80 EB 00 00 00 00 00 0A 00 00 06 04|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16445 SPECIFIC-THREATS Digium Asterisk IAX2 ack response denial of service attempt downloads.digium.com/pub/security/AST-2008-006.html attempted-user 2010-0483 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"vbscript"; nocase; content:".hlp"; nocase; content:"|5C|"; pcre:"/\\\\[^\x20\x0a\x0d]*\.hlp/smi"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16452 WEB-CLIENT IE .hlp samba share download attempt attempted-dos 2009-3676 tcp $EXTERNAL_NET 445 -> $HOME_NET any flow:to_client,established; dsize:4; content:"|00 00 00 9A|"; depth:4; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16454 SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt - empty SMB 2 www.microsoft.com/technet/security/bulletin/MS10-020.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"Ryeol HTTP Client Class"; nocase; http_header; content:"jaiku.com"; nocase; http_header; pcre:"/^User\x2DAgent\x3A\s+Ryeol\s+HTTP\s+Client\s+Class/smiH"; pcre:"/^Host\x3A\s+.*jaiku\x2Ecom/smiH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16459 BOTNET-CNC Trojan command and control communication attempt www.threatexpert.com/report.aspx?md5=9a546564bf213ff866f48848f0f14027 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"&c_ms="; nocase; http_uri; content:"&c_hi="; http_uri; content:"&c_fb="; http_uri; content:"&c_tg="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; 16483 BOTNET-CNC Koobface worm submission of collected data to C&C server attempt threatexpert.com/report.aspx?md5=18395e9476bde417692f3a7ab807ac44 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16484 BOTNET-CNC Koobface contact to C&C server attempt threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"GET"; http_method; content:"/cap/temp/"; nocase; http_uri; pcre:"/^\x2Fcap\x2Ftemp\x2F[A-Za-z0-9]+\x2Ejpg/miU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16485 BOTNET-CNC Koobface request for captcha attempt threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d trojan-activity 2010-0103 tcp $EXTERNAL_NET any -> $HOME_NET 7777 flow:to_server,established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16486 SPECIFIC-THREATS Arucer backdoor traffic - command execution attempt www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309 trojan-activity 2010-0103 tcp $EXTERNAL_NET any -> $HOME_NET 7777 flow:to_server,established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16487 SPECIFIC-THREATS Arucer backdoor traffic - yes command attempt www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309 trojan-activity 2010-0103 tcp $EXTERNAL_NET any -> $HOME_NET 7777 flow:to_server,established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16488 SPECIFIC-THREATS Arucer backdoor traffic - write file attempt www.virustotal.com/analisis/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf-1268074309 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"&wr="; http_uri; content:"/reg?"; http_uri; pcre:"/\x26tv\x3d\d\.\d\.\d{4}\.\d{4}/smiU"; pcre:"/u=[\dA-Fa-f]{8}/smiU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16489 SPYWARE-PUT Bobax botnet contact to C&C server attempt threatexpert.com/report.aspx?md5=89f6a4c3973f54c2bee9f50f62428278 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"TT-Bot"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*TT-Bot/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16493 SPYWARE-PUT TT-bot botnet contact to C&C server attempt anubis.iseclab.org/index.php?action=result&format=html&task_id=1494581651ca480640538ead93feabed2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"spm/page.php?"; http_uri; content:"id="; nocase; http_uri; content:"tick="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"smtp="; nocase; http_uri; content:"task="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16494 SPYWARE-PUT Cutwail spambot server communication attempt threatexpert.com/report.aspx?md5=0ecab7ac6e393be442cd834f9573622b trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"spm/s_alive.php?"; http_uri; content:"id="; nocase; http_uri; content:"tick="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"smtp="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16495 SPYWARE-PUT Rustock botnet contact to C&C server attempt threatexpert.com/report.aspx?md5=2a375d5f8ee2fe851f9b6407ae0d00e0 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update"; nocase; http_uri; content:"Mozilla/4.75"; fast_pattern; nocase; http_header; pcre:"/\x2Fupdate\w\x2Ephp\x3Fp\x3D\d+.*User\x2DAgent\x3A\s+Mozilla\x2F4\x2E75\s\x5Ben\x5D\s\x28X11\x3B\sU\x3B\sLinux\s2\x2E2\x2E16\x2D3\si686\x29/smiH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16496 SPYWARE-PUT Trojan hacktool attempt to contact server www.threatexpert.com/report.aspx?md5=f602982724b3562b80f435f0d87c6a5f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|0A|User-Agent|3A| Tear Application"; fast_pattern; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16497 SPYWARE-PUT Tear Application downloader attempt to contact server www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/files"; nocase; http_uri; content:"|29|.|28|t|29|"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16498 SPYWARE-PUT PC Antispyware 2010 FakeAV download/update attempt www.threatexpert.com/report.aspx?md5=37fa737aab25dd0d90cd0821538fae15 attempted-user 2008-3974 tcp $EXTERNAL_NET any -> $HOME_NET 1000: flow:to_server,established; content:"sys.olapimpl_t.odcitablestart|28|"; nocase; pcre:"/sys\x2eolapimpl\x5ft\x2eodcitablestart\x28[^\x2c]+\x2c[^\x2c]+\x2c\x27?[^\x2c\x27]{303}/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16516 ORACLE Database sys.olapimpl_t package odcitablestart overflow attempt 33555 attempted-user 2009-0184 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/x-bittorrent"; nocase; http_header; content:"7|3A|comment"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16517 WEB-CLIENT Free Download Manager .torrent parsing comment overflow attempt 33555 attempted-user 2009-0184 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/x-bittorrent"; nocase; http_header; content:"8|3A|announce"; nocase; byte_test:6,>,100000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16518 WEB-CLIENT Free Download Manager .torrent parsing announce overflow attempt 33555 attempted-user 2009-0184 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/x-bittorrent"; nocase; http_header; content:"4|3A|name"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16519 WEB-CLIENT Free Download Manager .torrent parsing name overflow attempt 33555 attempted-user 2009-0184 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"application/x-bittorrent"; nocase; http_header; content:"4|3A|pathl"; nocase; byte_test:6,>,10000,0,relative,dec,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16520 WEB-CLIENT Free Download Manager .torrent parsing path overflow attempt 33604 attempted-user 2009-0478 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:to_server,established; content:" http/"; nocase; pcre:"/^[^\s]+\s+[^\s]+\s+http\x2f(\d+\x2e)?\d{10}/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16521 WEB-CLIENT Squid Proxy http version number overflow attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 7382 flow:to_server,established; content:"JOIN |23|siwa"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16526 BOTNET-CNC VanBot IRC communication attempt owned-nets.blogspot.com/2009/05/italianswiifatecihnocombaadshah-from.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dofyru.bmp"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16527 BOTNET-CNC Zbot malware config file download request www.threatexpert.com/report.aspx?md5=4cc069b84270be48bd84b7068dc3bf1a trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/reklam/config"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16528 BOTNET-CNC Zbot malware config file download request www.threatexpert.com/report.aspx?md5=2a2419d34c7990297d9a2f7413a9af2a misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".pjpeg"; nocase; http_uri; flowbits:set,http.jpeg; flowbits:noalert; metadata:service http; classtype:misc-activity; 16529 WEB-MISC JPEG file download attempt attempted-user 2010-0487 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16530, service http, policy balanced-ips drop, policy security-ips drop; 16530 WEB-CLIENT CAB SIP authenticode alteration attempt www.microsoft.com/technet/security/bulletin/MS10-019.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"malware"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16551 SPYWARE-PUT Malware contact to server attempt www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352 34134 attempted-user 2009-0921 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/OVCgi/Toolbar.exe"; nocase; http_uri; content:"Cookie|3A|"; http_header; content:"OvAcceptLang="; http_header; pcre:"/^Cookie\x3a\s*[^\n]*OvAcceptLang\x3d[^\x3b\n]{300}/smH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16555 WEB-MISC HP Openview Network Node Manager OvAcceptLang overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/s/im.php"; nocase; http_uri; flowbits:set,lmageshack.request; flowbits:noalert; metadata:service http; classtype:misc-activity; 16556 SPECIFIC-THREATS 2imaegshack/lmageshack IM worm get request attempt anubis.iseclab.org/?action=result&task_id=1d4d78a7507bb63143d45d2a5898fe3bf&format=html trojan-activity tcp $EXTERNAL_NET [4244,10369] -> $HOME_NET any flow:to_client,established; content:"get5.lost|0D 0A|"; metadata:policy security-ips drop; classtype:trojan-activity; 16558 SPECIFIC-THREATS SdBot IRC Trojan server to client communication attempt anubis.iseclab.org/?action=result&task_id=1418ebbc56c0b5a34c11afd1af2ba9881&format=html 21206 attempted-user 2006-6063 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<ASX VERSION=|22|3|22|>"; nocase; content:"<Entry>"; distance:0; nocase; content:"<ref href=|22|file|3A|//"; distance:0; nocase; pcre:"/^\S{501}/R"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16582 WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt 21206 attempted-user 2006-6063 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<ASX VERSION=|22|3|22|>"; nocase; content:"<Entry>"; distance:0; nocase; content:"<ref href=|22|file|3A|//"; distance:0; nocase; pcre:"/^\S{501}/R"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16583 WEB-CLIENT Un4seen Developments XMPlay crafted ASX file buffer overflow attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"<=2035"; fast_pattern:only; content:"window.location="; content:"'.html'|3B|"; within:30; nocase; content:"classid=|22|"; distance:0; nocase; content:".dll|23|"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16598 SPECIFIC-THREATS Green Dam URL handling overflow attempt secunia.com/advisories/35435 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server, established; content:"Google Bot"; nocase; http_header; pcre:"/^User\x2DAgent\x3A\s*Google\sBot/smiH"; metadata:policy security-ips drop, service http; classtype:trojan-activity; 16600 BACKDOOR Otlard Trojan activity www.threatexpert.com/report.aspx?md5=19354eda9db43a501b7172489d67d454 37261 attempted-user 2009-4179 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/OVCgi/ovalarm.exe"; nocase; http_uri; content:"OVABverbose="; nocase; http_uri; pcre:"/^(true|on)/iR"; pcre:"/(Cookie\s*\x3A\s*[^\n]*OvAcceptLang\s*\x3D\s*[^\x3B\n]{69}|Accept-Language\s*\x3A\s*[^\n]{69})/iH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16604 WEB-MISC HP OpenView Network Node Manager ovalarm.exe Accept-Language buffer overflow attempt 34461 attempted-user 2009-1016 tcp $EXTERNAL_NET any -> $HOME_NET 443 flow:to_server,established; isdataat:100; content:"|16 03|"; depth:2; content:"|0B|"; within:1; distance:3; byte_test:2,>,3072,-3,relative; byte_test:3,>,3072,3,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 16606 ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt misc-attack 2009-0217 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:misc-attack; metadata: engine shared, soid 3|16636, policy security-ips drop; 16636 MISC .NET framework XMLDsig data tampering attempt www.microsoft.com/technet/security/bulletin/MS10-041.mspx attempted-dos 2010-1264 tcp $EXTERNAL_NET any -> $HOME_NET 80 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|16660, service http, policy security-ips drop; 16660 DOS SharePoint Server 2007 help.aspx denial of service attempt www.microsoft.com/technet/security/bulletin/MS10-039.mspx attempted-user 2010-1879 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.avi; metadata: engine shared, soid 3|16661, service http, policy balanced-ips drop, policy security-ips drop; 16661 EXPLOIT quartz.dll MJPEG content processing memory corruption attempt www.microsoft.com/technet/security/bulletin/MS10-033.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|2E|php|3F|guid|3D|"; nocase; http_uri; content:"ccrc|3D|"; fast_pattern; nocase; http_uri; content:"ver|3D|"; nocase; http_uri; content:"stat|3D|"; nocase; http_uri; content:"cpu|3D|"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16669 SPYWARE-PUT Spyeye bot contact to C&C server attempt www.threatexpert.com/report.aspx?md5=84714c100d2dfc88629531f6456b8276 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|2E|sys|2F 3F|getexe|3D|"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 16670 SPYWARE-PUT Koobface worm executable download attempt www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352 8375 attempted-dos 2003-0727 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Authorization|3A|"; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s[^\n]{512}/smi"; metadata:policy security-ips drop, service http; classtype:attempted-dos; 16681 WEB-MISC Basic Authorization string overflow attempt misc-attack 2009-2445 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:".jsp"; nocase; http_uri; content:"|3A 3A 24|DATA"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:misc-attack; 16682 WEB-MISC Sun ONE Web Server JSP source code disclosure attempt 34803 attempted-admin 2008-4828 tcp $EXTERNAL_NET any -> $HOME_NET 1584 flow:to_server,established; content:"|08 A5 00 01|"; depth:4; offset:2; pcre:"/^.{2}\x08\xa5\x00\x01.{14}(([^\x00]|\x00[\x81-\xFF])|.{4}([^\x00]|\x00[\x81-\xFF]))/s"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 16685 EXPLOIT IBM Tivoli Storage Manager Client dsmagent.exe NodeName length buffer overflow attempt www-01.ibm.com/support/docview.wss?uid=swg21384389 34001 misc-attack 2009-0855 tcp $EXTERNAL_NET any -> $HOME_NET 9060 flow:to_server, established; content:"/ibm/console/"; content:"script"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-attack; 16686 WEB-CLIENT IBM WebSphere application server cross site scripting attempt web-application-attack 2010-0475 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established, to_server; content:"/esp/editUser.esp"; fast_pattern; nocase; http_uri; content:"role="; nocase; http_uri; pcre:"/[\x3f\x26]role=[^\x26]*?[^\x26a-z0-9\x5b\x5d\x2d]/Usmi"; metadata:policy security-ips drop, service http; classtype:web-application-attack; 16689 WEB-CLIENT Palo Alto Networks Firewall editUser.esp XSS attempt osvdb.org/show/osvdb/64717 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".plf"; nocase; http_uri; flowbits:set,http.plf; flowbits:noalert; metadata:service http; classtype:misc-activity; 16691 WEB-CLIENT PLF playlist file download request 35732 attempted-dos 2009-2534 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"SETUP"; depth:5; nocase; pcre:"/^\s+(rtsp\x3a\x2f{2}|\x2f+)\s+/iR"; metadata:policy security-ips drop, service rtsp; classtype:attempted-dos; 16694 DOS RealNetworks Helix Server RTSP SETUP request denial of service attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|2F 3F|b|3D|1s1"; fast_pattern; nocase; http_uri; content:"Mozilla"; nocase; http_header; pcre:"/^User\x2DAgent\x3A\s*Mozilla\x0d?$/smiH"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; 16695 SPYWARE-PUT Rogue AV download/update atttempt www.virustotal.com/analisis/2063df10f553afa6b1257e576fbf88cf98093ec1ae15c079e947994a96fbfadd-1274312088 21657 attempted-user 2006-6665 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|3C|DeepBurner_record"; nocase; content:"|3C|data_cd"; distance:0; nocase; content:"|3C|file"; distance:0; nocase; pcre:"/^\s*[^\x3E]*path\s*=\s*(\x22[^\x22]{272}|\x27[^\x27]{272}|[^\s\x3E]{272})/iR"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16696 WEB-CLIENT Astonsoft Deepburner dbr file name buffer overflow attempt osvdb.org/show/osvdb/32356 35731 attempted-dos 2009-2533 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"SET_PARAMETER"; depth:13; content:"DataConvertBuffer"; distance:0; nocase; pcre:!"/^Content-Length\s*\x3A\s*[1-9]/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service rtsp; classtype:attempted-dos; 16709 DOS RealNetworks Helix Server RTSP SET_PARAMETERS empty DataConvertBuffer header denial of service attempt 35673 attempted-user 2009-1975 tcp $EXTERNAL_NET any -> $HOME_NET 7001 flow:to_server,established; content:"|2F|consolehelp|2F|console-help|2E|portal"; nocase; content:"searchQuery|3D|"; distance:0; nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16710 EXPLOIT Oracle BEA Weblogic server console-help.portal cross-site scripting attempt 35681 attempted-user 2009-1968 tcp $EXTERNAL_NET any -> $HOME_NET 7777 flow:to_server,established; content:"search|2F|query|2F|search"; nocase; content:"search_p_groups|3D|"; distance:0; nocase; pcre:"/^[^\x26\s]*(\x3e|\x253e)/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16717 ORACLE Oracle Secure Enterprise Search search_p_groups cross-site scripting attempt 24330 attempted-user 2007-2864 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"MSCF"; within:4; byte_test:2,=,1,24,relative,little; byte_jump:4,12,relative,post_offset -20,little; pcre:"/^.{16}[^\x00]{256}/sR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16719 WEB-CLIENT CA multiple product AV engine CAB header parsing stack overflow attempt 31813 attempted-user 2008-4654 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|F5 46 7A BD 00 00 00 02 00 02 00 00|"; within:12; byte_test:4,>,32,8,relative,big; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16720 WEB-CLIENT VideoLAN VLC Media Player TY processing buffer overflow attempt 38436 attempted-user 2010-0688 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"OrbitalFileV1.0|0D 0A|"; within:17; pcre:"/^[^\h\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16721 WEB-CLIENT Orbital Viewer .orb stack buffer overflow attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"ActiveXObject|28 27|APWebGrabber.Object|27 29 3B|"; fast_pattern:only; nocase; content:"unescape|28 27 25|u"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16725 SPECIFIC-THREATS ActivePDF WebGrabber APWebGrb.ocx GetStatus method overflow attempt osvdb.org/show/osvdb/64579 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"Mjik"; within:4; pcre:"/^[^\s\x00]{512}/R"; metadata:policy security-ips drop, service http; classtype:attempted-user; 16726 WEB-CLIENT gAlan malformed file stack overflow attempt osvdb.org/60897 attempted-user 2009-4265 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|0D 0A|[Group,Export,Yes]|0D 0A|"; within:22; content:"Computer="; distance:0; pcre:"/^[^\s\x00]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16727 WEB-CLIENT IDEAL Administration IPJ file handling stack overflow attempt osvdb.org/show/osvdb/60681 attempted-user 2009-3214 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"Photodex|28|R|29| ProShow|28|TM|29| Show File Version"; within:41; content:"cell[0].images[0].image="; distance:0; isdataat:512,relative; content:!"|0A|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16730 WEB-CLIENT ProShow Gold PSH file handling overflow attempt osvdb.org/show/osvdb/57226 attempted-user 2009-3214 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"ProShow Gold - Built-In Content/Backgrounds/Abstract_02.jpgAAAAAAAAAAAAAAA"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16731 SPECIFIC-THREATS ProShow Gold PSH file handling overflow attempt osvdb.org/show/osvdb/57226 attempted-user 2009-3861 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|5B|HKEY_LOCAL_MACHINE|5C|SOFTWARE|5C|IRE|5C|SafeNet|2F|Soft-PK|5C|ACL|5C|GROUPDEFS|5C|_SafeNet_Default_Group|5D|"; content:"|22|GROUPNAME|22 3D 22|"; distance:0; isdataat:256,relative; content:!"|22|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16732 WEB-CLIENT SafeNet SoftRemote multiple policy file local overflow attempt osvdb.org/show/osvdb/59724 attempted-user 2009-1260 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"[CloneCD]"; within:9; content:"INDEX 1="; distance:0; isdataat:256,relative; content:!"|0A|"; within:256; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16733 WEB-CLIENT UltraISO CCD file handling overflow attempt osvdb.org/show/osvdb/53275 24140 attempted-user 2007-2888 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"FILE |22|"; within:6; isdataat:512,relative; content:!"|22|"; within:512; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16734 WEB-CLIENT UltraISO CUE file handling stack buffer overflow attempt 12352 attempted-user 2005-0308 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|D4 30 00 00 00 00 00 00 00 00 00 00 E0 30 00 00 F0 30 00 00 F8 30 00 00 00 31 00 00 00 00 00 00 78 02|"; isdataat:256,relative; content:!"|00|"; within:256; metadata:policy security-ips drop, service http; classtype:attempted-user; 16735 SPECIFIC-THREATS URSoft W32Dasm Import/Export function buffer overflow attempt 38815 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|34 87 01 00 00 00 00 00 25 5C 1F 85|"; within:12; pcre:"/^[^\x0a\x3d]{512}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16736 WEB-CLIENT VariCAD multiple products DWB file handling overflow attempt osvdb.org/show/osvdb/63067 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"AAAAAAAA|EB 06 90 90 4B 3F 01 11 90 90 90 90|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16738 SPECIFIC-THREATS Xenorate Media Player XPL file handling overflow attempt - 2 osvdb.org/show/osvdb/57162 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".rdp"; nocase; http_uri; flowbits:set,http.rdp; flowbits:noalert; metadata:service http; classtype:misc-activity; 16742 WEB-MISC remote desktop configuration file download request 35273 attempted-user 2009-2011 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<dxstudio"; fast_pattern:only; nocase; content:"<?xml"; content:"shell.execute"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16744 WEB-CLIENT DX Studio Player plug-in command injection attempt 35500 attempted-user 2009-2484 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset, http.m3u.download; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0D\x0A\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16751 WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt 35500 attempted-user 2009-2484 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,xspf_file.request; content:"smb|3A 2F 2F|"; pcre:"/smb\x3A\x2F\x2F[^\s\x0A\x0D\x3C]{251}/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16752 WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt 35500 attempted-user 2009-2484 tcp $HOME_NET any -> $EXTERNAL_NET 8080 flow:to_server,established; content:"GET"; nocase; http_method; content:"|2F|requests|2F|status.xml"; nocase; http_uri; content:"smb"; http_uri; pcre:"/^GET\s+.*\x2Frequests\x2Fstatus.xml\x3F.*smb\x3A\x2F\x2F[^\s\x0A\x0D]{251}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16753 WEB-CLIENT VideoLAN VLC Media Player SMB module Win32AddConnection buffer overflow attempt 33177 attempted-dos 2008-5441 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 00 00 00 00 09 00|"; depth:8; offset:12; content:!"|00 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16777 ORACLE Secure Backup NDMP packet handling DoS attempt 33177 attempted-dos 2008-5441 tcp $EXTERNAL_NET any -> $HOME_NET 10000 flow:to_server,established; content:"|00 00 00 00 00 00 09 02|"; depth:8; offset:12; content:!"|00 00 00 00|"; within:4; distance:4; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 16778 ORACLE Secure Backup NDMP packet handling DoS attempt attempted-user 2009-4850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; file_data; content:"clsid|3A|17A54E7D-A9D4-11D8-9552-00E04CB09903"; content:"|3C|param name|3D 22|SceneURL|22| value|3D 22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 16785 SPECIFIC-THREATS AwingSoft Winds3D Player SceneURL method command execution attempt 39895 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET [5800,5900:5999] flow:to_server,established; flowbits:isset,vnc.traffic; content:"|06 00 00 00|"; depth:4; byte_test:1,&,0x80,0,relative; metadata:policy security-ips drop; classtype:attempted-admin; 16788 EXPLOIT RealVNC VNC Server ClientCutText message memory corruption attempt attempted-user 2009-0187 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"classid|3D 27|clsid|3A|3F1D494B-0CEF-4468-96C9-386E2E4DEC90|27|"; content:"String|28 27|http|3A 2F 2F|"; distance:0; content:!"|27|"; within:255; metadata:policy security-ips drop, service http; classtype:attempted-user; 16798 SPECIFIC-THREATS Orbit Downloader long URL buffer overflow attempt attempted-user 2009-1135 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17041, service http, policy balanced-ips drop, policy security-ips drop; 17041 WEB-MISC ISA Server OTP-based Forms-authorization fallback policy bypass attempt www.microsoft.com/technet/security/bulletin/MS09-031.mspx 34671 attempted-admin 2009-1429 tcp $EXTERNAL_NET any -> $HOME_NET 12174 flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"cmd /c"; fast_pattern:only; nocase; metadata:policy security-ips drop; classtype:attempted-admin; 17048 EXPLOIT Symantec Multiple Products Intel Common Base Agent CreateProcessA Function remote command execution attempt 41596 attempted-admin 2010-0907 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"login.php"; nocase; http_uri; content:"attempt"; nocase; http_client_body; content:"uname="; nocase; http_client_body; pcre:"/uname\x3D[^\x26\x2D\s]*?\x2D/iP"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 17049 WEB-MISC Oracle Secure Backup Administration Server authentication bypass attempt via POST 41596 attempted-admin 2010-0907 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"login.php"; nocase; http_uri; content:"attempt"; nocase; http_uri; content:"uname="; nocase; http_uri; pcre:"/uname\x3D[^\x26\x2D\s]*?\x2D/iU"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 17050 WEB-MISC Oracle Secure Backup Administration Server authentication bypass attempt 34461 attempted-dos 2009-0991 tcp $EXTERNAL_NET any -> $HOME_NET 1521 flow:to_server,established; content:"|00 00 02 D4 20 08 FF 03 01 00 12|44444"; content:"|BC C3 CC 07 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 89 C0 B1 C3 08 1D|"; within:14; distance:4; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 17055 SPECIFIC-THREATS Oracle Database DBMS TNS Listener denial of service attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html 33630 attempted-user 2009-0546 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|3C|opml"; nocase; content:"|3C|outline"; distance:0; nocase; pcre:"/[^\x3E]*?text\s*\x3D\s*(\x27[^\x27]{500}|\x22[^\x22]{500}|\S{500})/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17104 WEB-CLIENT FeedDemon OPML file handling buffer overflow attempt 33630 attempted-user 2009-0546 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|3C 00|o|00|p|00|m|00|l|00|"; nocase; content:"|3C 00|o|00|u|00|t|00|l|00|i|00|n|00|e|00|"; distance:0; nocase; pcre:"/[^\x3E]*?t\x00e\x00x\x00t\x00(\s\x00)*\x3D\x00(\s\x00)*(\x27\x00(?!(..){0,500}\x27\x00)|\x22\x00(?!(..){0,500}\x22\x00)|(?!(..){0,500}\s\x00))/isOR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17105 WEB-CLIENT FeedDemon unicode OPML file handling buffer overflow attempt 39077 misc-activity 2010-0842 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; file_data; content:"IREZ"; within:4; content:"MThd"; distance:0; metadata:policy security-ips drop, service http; classtype:misc-activity; 17106 WEB-MISC download of RMF file - potentially malicious misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".asx"; nocase; http_uri; flowbits:set,http.asx; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 17116 WEB-CLIENT asx file download request attempted-user 2010-1901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17120, service http, policy balanced-ips drop, policy security-ips drop; 17120 WEB-CLIENT rich text format unexpected field type memory corruption attempt 1 www.microsoft.com/technet/security/bulletin/ms10-056.mspx attempted-user 2010-1901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17121, service http, policy balanced-ips drop, policy security-ips drop; 17121 WEB-CLIENT rich text format unexpected field type memory corruption attempt 2 www.microsoft.com/technet/security/bulletin/ms10-056.mspx attempted-user 2010-1901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17122, service http, policy balanced-ips drop, policy security-ips drop; 17122 WEB-CLIENT rich text format unexpected field type memory corruption attempt 3 www.microsoft.com/technet/security/bulletin/ms10-056.mspx attempted-user 2010-1902 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17123, service http, policy balanced-ips drop, policy security-ips drop; 17123 WEB-CLIENT rich text format invalid field size memory corruption attempt www.microsoft.com/technet/security/bulletin/ms10-056.mspx attempted-user 2010-2553 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.avi; metadata: engine shared, soid 3|17128, service http, policy balanced-ips drop, policy security-ips drop; 17128 EXPLOIT Cinepak Codec VIDC decompression remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-055.mspx attempted-user 2010-2557 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17130, service http, policy balanced-ips drop, policy security-ips drop; 17130 WEB-CLIENT IE boundElements arbitrary code execution www.microsoft.com/technet/security/bulletin/ms10-053.mspx attempted-user 2010-2559 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17131, service http, policy balanced-ips drop, policy security-ips drop; 17131 WEB-CLIENT IE8 parent style rendering arbitrary code execution www.microsoft.com/technet/security/bulletin/ms10-053.mspx 40298 misc-attack tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/imc/report/DownloadReportSource"; nocase; http_uri; content:"fileName"; http_uri; pcre:"/fileName=.*?\x2E\x2E(\x2F|\x5C)/sI"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-attack; 17137 WEB-MISC HP Intelligent Management Center information disclosure attempt secunia.com/advisories/39891 41327 attempted-admin 2010-2221 tcp $EXTERNAL_NET any -> $HOME_NET [1024:] flow:to_server,established; content:"|00 01 00 08|"; depth:4; content:"|00 00 00 20|"; within:4; distance:8; byte_test:4,>,1008,0,relative,big; byte_test:2,>,1024,4,big; metadata:policy security-ips drop; classtype:attempted-admin; 17138 EXPLOIT iSCSI target multiple implementations iSNS stack buffer overflow attempt 41959 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 38292 flow:to_server,established; content:"|FF FF FF FF|"; depth:4; content:"PRGX"; within:4; distance:26; fast_pattern; metadata:policy security-ips drop; classtype:attempted-admin; 17139 EXPLOIT Symantec Alert Management System HNDLRSVC arbitrary command execution attempt osvdb.org/show/osvdb/66807 40428 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.avi; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17148 WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 1 40428 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp3; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17149 WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 2 40428 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.mp4; file_data; content:"|50 4B 03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17150 WEB-CLIENT VideoLAN VLC renamed zip file handling code execution attempt - 3 40298 attempted-user tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/imc/reportscript/sqlserver/deploypara.properties"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17157 WEB-MISC HP Intelligent Management Center database credentials information disclosure attempt - 1 secunia.com/advisories/39891 40298 attempted-user tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/rpt/reportscript/sqlserver/deploypara.properties"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17158 WEB-MISC HP Intelligent Management Center database credentials information disclosure attempt - 2 secunia.com/advisories/39891 40298 attempted-user tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/imc/reportscript/oracle/deploypara.properties"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17159 WEB-MISC HP Intelligent Management Center database credentials information disclosure attempt - 3 secunia.com/advisories/39891 38084 attempted-admin 2010-0557 tcp $EXTERNAL_NET any -> $HOME_NET 19300 flow:to_server,established; content:"Authorization"; offset:0; nocase; content:"Basic"; within:50; nocase; content:"Y3hzZGs6a2RzeGM="; within:100; fast_pattern; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17207 EXPLOIT IBM Cognos Server backdoor account remote code execution attempt 38212 attempted-dos 2010-0639 udp $EXTERNAL_NET any -> $HOME_NET 4827 flow:to_server; byte_test:1,!&,3,6; byte_test:1,&,4,6; byte_test:1,!&,8,6; content:"|00 03|GET"; depth:7; offset:14; nocase; content:!"|3A 2F 2F|"; within:30; distance:2; metadata:policy security-ips drop; classtype:attempted-dos; 17208 EXPLOIT Squid Proxy HTCP packet processing denial of service attempt 14784 attempted-user 2005-2871 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"HREF=http://&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD&#xAD"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17219 SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt 14784 attempted-user 2005-2871 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"HREF=https|3A AD AD AD AD AD AD AD AD AD AD AD AD AD|"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17220 SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt 14784 attempted-user 2005-2871 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"HREF=https|3A|--------------------"; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17221 SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt 14784 attempted-user 2005-2871 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|22|http|3A 2F 2F 22 20 2B 0A|"; nocase; content:"|22|%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD%AD|22|"; within:100; metadata:policy security-ips drop, service http; classtype:attempted-user; 17222 SPECIFIC-THREATS Firefox domain name handling buffer overflow attempt attempted-dos 2008-2631 tcp $EXTERNAL_NET any -> $HOME_NET 3000 flow:established,to_server; content:"ComposeUser=Anyinvaliduser"; depth:26; offset:150; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 17225 SPECIFIC-THREATS Alt-N MDaemon WorldClient invalid user misc-activity tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any flow:to_client,established; file_data; content:"II|2A 00|"; within:4; flowbits:set,http.tiff.little; flowbits:noalert; metadata:service http; classtype:misc-activity; 17229 WEB-CLIENT Tiff file download - little-endian misc-activity tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any flow:to_client,established; file_data; content:"MM|00 2A|"; within:4; flowbits:set,http.tiff.big; flowbits:noalert; metadata:service http; classtype:misc-activity; 17230 WEB-CLIENT Tiff file download - big-endian trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"SendEmail|2E|iq"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 17234 SPECIFIC-THREATS VBMania mass mailing worm activity www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892 trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|53 00 65 00 6E 00 64 00 45 00 6D 00 61 00 69 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00|"; content:"|2E 00 69 00 71 00 00 00|"; distance:0; content:"|2E 00 69 00 71 00 00 00|"; distance:0; content:"|2E 00 69 00 71 00 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 17235 SPECIFIC-THREATS VBMania mass mailing worm download attempt www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284133892 37685 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xbm; file_data; content:"|23|define"; content:"|5F|width"; distance:0; pcre:"/\x23define\s*(?=[\S]{57})\S*\x5Fwidth/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17238 WEB-CLIENT ACD Systems ACDSee Products XBM file handling buffer overflow attempt osvdb.org/show/osvdb/63643 attempted-user 2005-2720 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|2A 2A 41 43 45 2A 2A|"; within:7; distance:7; content:"|01 80 1C 00 00 00 BE 02 00 00 C5 5A 08 33 20 00 00 00 80 98 92 84 02 03 0A 00 54 45 07 02|"; distance:0; metadata:policy security-ips drop, service http; classtype:attempted-user; 17244 SPECIFIC-THREATS Antivirus ACE file handling buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".mov"; nocase; http_uri; flowbits:set,http.quicktime; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:misc-activity; 17259 WEB-CLIENT .mov file request 38115 attempted-admin 2010-0866 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"@DECLARE PERMS"; nocase; content:"java.io.filepermission"; distance:0; nocase; content:"execute"; within:27; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17264 ORACLE Permission declaration exploit attempt 12793 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|13 00 00 00 46 53 43 1B 5B 32 50 4F 43 1B 5B 30 3B 35 39 2E 74 78 74 0B F0 66 66 E1 62 00 01 A3|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17266 SPECIFIC-THREATS Multiple vendor malformed ZIP archive Antivirus detection bypass attempt lists.grok.org.uk/pipermail/full-disclosure/2005-March/032530.html 12793 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|73 74 07 1B 5B 32 4A 1B 5B 32 3B 35 6D 1B 5B 31 3B 33 31 6D 48 41 43 4B 45 52 20 41 54 54 41 43|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17267 SPECIFIC-THREATS Multiple vendor malformed ZIP archive Antivirus detection bypass attempt lists.grok.org.uk/pipermail/full-disclosure/2005-March/032530.html 14757 attempted-dos tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; file_data; content:"Content-Disposition|3A 20|attachment"; content:"|55 45 73 44 42 41 6F 41 41 41 41 41 41 44 57 43|"; distance:0; content:"|42 55 41 54 43 30 33 4C 6E 70 70 63 46 56 55 43|"; distance:0; content:"|44 33 54 49 6E 51 39 30 79 4A 30 4E 56 65 41 51|"; distance:0; metadata:policy security-ips drop, service smtp; classtype:attempted-dos; 17275 SPECIFIC-THREATS Symantec Brightmail AntiSpam nested Zip handling denial of service attempt ftp.symantec.com/public/english_us_canada/products/sba/sba_60x/updates/release_notes_p157.txt 15291 attempted-user 2005-1939 tcp $EXTERNAL_NET any -> $HOME_NET 8022 flow:to_server,established; content:"|2E 2E 2F 2E 2E 2F 2E 2E 2F|"; depth:100; pcre:"/^(GET|POST)\h+[^\n]*?\x2E\x2E\x2F\x2E\x2E\x2F\x2E\x2E\x2F[^\n]*?HTTP/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17279 WEB-MISC Ipswitch Whatsup Small Business directory traversal attempt 15291 attempted-user 2005-1939 tcp $EXTERNAL_NET any -> $HOME_NET 8022 flow:to_server,established; content:"|2E 2E 5C 2E 2E 5C 2E 2E 5C|"; depth:100; pcre:"/^(GET|POST)\h+[^\n]*?\x2E\x2E\x5C\x2E\x2E\x5C\x2E\x2E\x5C[^\n]*?HTTP/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17280 WEB-MISC Ipswitch Whatsup Small Business directory traversal attempt attempted-user 2005-3922 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|40 29 23 28 00 00 83 08 24 48 B0 A0 C1 83 08 13 2A 5C C8 B0 A1 C3 87 10 23 4A 9C 48 B1 A2 C5 8B|"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17281 SPECIFIC-THREATS Panda Antivirus ZOO archive decompression buffer overflow attempt attempted-user 2006-4335 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|1F A0 AB CD FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; rawbytes; metadata:policy security-ips drop, service http; classtype:attempted-user; 17289 SPECIFIC-THREATS GNU gzip LZH decompression make_table overflow attempt secunia.com/advisories/21996/ 20588 attempted-user 2006-5340 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"sdo_lrs.convert_to_lrs_layer"; nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17293 ORACLE sdo_lrs.convert_to_lrs_layer buffer overflow attempt 23558 attempted-admin 2007-2137 tcp $EXTERNAL_NET any -> $HOME_NET [1918,6014,10110,14206,18302] flow:to_server,established; dsize:>1002; metadata:policy security-ips drop; classtype:attempted-admin; 17298 MISC IBM Tivoli Monitoring Express Universal Agent Buffer Overflow 23738 attempted-dos 2007-2241 udp $EXTERNAL_NET any -> $DNS_SERVERS 53 content:"|03 77 77 77 04 74 65 73 74 03 63 6F 6D 00 00 2E 00 01|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service dns; classtype:attempted-dos; 17299 SPECIFIC-THREATS ISC BIND RRSIG query denial of service attempt attempted-user 2008-0318 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00|"; content:"|00 00 2E 70 65 74 69 74 65 00 00 D0 0D 00 00 30 FF FF A3 D1|"; within:20; distance:288; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17305 SPECIFIC-THREATS ClamAV libclamav PE file handling integer overflow attempt 17246 attempted-admin 2006-1705 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server, established; content:"CREATE VIEW"; nocase; content:"FROM"; distance:0; nocase; content:"sys.te6sttable t1, sys.testtable t2"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17313 ORACLE database server crafted view privelege escalation attempt misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,http.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:misc-activity; 17314 WEB-CLIENT OLE Document file download shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|D9 E1 D9 34 24|"; content:"|E7 31 C9 66 81 E9|"; distance:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17335 SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|EB 10|"; content:"|31 C9 66 81 E9|"; distance:1; content:"|E2 FA EB 05 E8 EB FF FF FF|"; distance:5; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17336 SHELLCODE x86 OS agnostic call geteip byte xor decoder shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|8B 6C 24 24 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17337 SHELLCODE x86 Win32 export table enumeration variant shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; distance:1; content:"03 0c 24 6a 04"; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17341 SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"j|00|X|00|A|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|A|00|R|00|A|00|L|00|A|00|Y|00|A|00|I|00|A|00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17342 SHELLCODE x86 OS agnostic unicode mixed case decoder shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any content:"Q|00|A|00|T|00|A|00|X|00|A|00|Z|00|A|00|P|00|U|00|3|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; 17343 SHELLCODE x86 OS agnostic unicode upper case decoder 14164 string-detect 2005-2175 tcp $EXTERNAL_NET 110 -> $HOME_NET any flow:from_server,established; content:"<SCRIPT>|0D 0A|alert|28 22|"; nocase; metadata:policy security-ips drop; classtype:string-detect; 17346 SPECIFIC-THREATS IBM Lotus Notes Cross Site Scripting attempt 14319 attempted-user 2005-2372 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"f90servlet?form="; nocase; http_uri; pcre:"/form=[cde]\x3a(\x5C|\x2F)/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17350 ORACLE Application Server Forms Arbitrary System Command Execution Attempt protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".xbm"; nocase; http_uri; flowbits:set,http.xbm; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 17359 WEB-CLIENT xbm image file download request attempted-user 2007-0197 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.dmg; content:"|00 00 00 00 4C 41 42 4C|"; byte_test:2,>,254,12,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17363 WEB-CLIENT Apple computer finder DMG volume name memory corruption 14977 protocol-command-decode 2005-2917 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:to_server,established; content:"Proxy-Authorization: NTLM"; flowbits:set,ntlm_authentication; flowbits:noalert; classtype:protocol-command-decode; 17370 WEB-MISC Squid authentication headers handling denial of service attempt 14977 attempted-dos 2005-2917 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:to_server,established; flowbits:isset,ntlm_authentication; content:"Proxy-Authorization: "; content:!"NTLM"; within:4; metadata:policy security-ips drop; classtype:attempted-dos; 17371 WEB-MISC Squid authentication headers handling denial of service attempt attempted-user 2008-1965 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"cai|3A|"; nocase; content:"-launcher"; distance:0; nocase; pcre:"/\x3c[^\x3e]+(\x22|\x27)?cai\x3a[^\x3e]*(\x22|\x2522)[^\x3e\x22]*-launcher/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17376 WEB-MISC IBM Lotus Expeditor cai URI handler command execution attempt www-01.ibm.com/support/docview.wss?uid=swg21303813 protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".png"; nocase; http_uri; flowbits:set,http.png; flowbits:noalert; classtype:protocol-command-decode; 17380 WEB-CLIENT PNG file download request 32555 attempted-dos 2008-5314 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; file_data; content:"|FF D8 FF|"; content:"|FF ED|"; content:"8BIM"; within:4; distance:16; nocase; pcre:"/\xff\xed.{16}8BIM\x04(\x09|\x0c)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-dos; 17390 DOS ClamAV Antivirus Function Denial of Service attempt protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".gif"; nocase; http_uri; flowbits:set,http.gif; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 17394 WEB-CLIENT GIF file download request protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET [5800,5900:5999] flow:established,to_server; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; flowbits:set,vnc.auth; flowbits:noalert; classtype:protocol-command-decode; 17396 EXPLOIT VNC client authentication response 33568 attempted-user 2009-0388 tcp $EXTERNAL_NET [5800,5900:5999] -> $HOME_NET any flow:established,to_client; flowbits:isset,vnc.auth; content:"|00 00 00|"; depth:3; content:"|7F FF FF FF|"; within:4; distance:1; pcre:"/^\x00{3}[\x00\x01]\x7f\xff{3}/m"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17397 EXPLOIT VNCViewer Authenticate buffer overflow attempt attempted-user 2006-4138 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".hlp"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17407 WEB-CLIENT Windows help file download request 14935 denial-of-service tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"ORDSYS.ORD"; nocase; pcre:"/(Image|Doc)/iR"; pcre:"/(Set|Check)\x10Properties/iR"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:denial-of-service; 17416 ORACLE Database Intermedia Denial of Service Attempt 14935 denial-of-service tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"TO_BLOB(HEXTORAW"; nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*0{4,6}\s*\x27\s*\x29\s*/R"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:denial-of-service; 17417 ORACLE Database Intermedia Denial of Service Attempt attempted-user tcp $HOME_NET $ORACLE_PORTS -> $EXTERNAL_NET any flow:to_server, established; content:"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME="; fast_pattern:only; flowbits:set,oracle.connect; flowbits:noalert; classtype:attempted-user; 17418 ORACLE Oracle connection established 13379 attempted-user 2004-1077 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|3C|AppData|3E|"; nocase; content:"|3C|AppInStartmenu|20|value|3D 22|True|22|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17420 WEB-MISC Citrix Program Neighborhood Agent Arbitrary Shortcut Creation attempt 35758 attempted-user 2009-2469 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"p.type=|27|xxx|27|"; nocase; content:"__defineSetter__|28|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:attempted-user; 17422 SPECIFIC-THREATS Firefox defineSetter function pointer memory corruption attempt 13373 attempted-user 2004-1078 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|3C|AppData|3E|"; nocase; content:"|3C|InName|3E|"; pcre:"/InName\x3E[^\x3C]{100}/i"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17423 WEB-MISC Citrix Program Neighborhood Agent Buffer Overflow attempt protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".rat"; nocase; http_uri; flowbits:set,http.rat; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 17426 WEB-CLIENT RAT file download request 13509 attempted-user 2005-1496 tcp $EXTERNAL_NET any -> $SQL_SERVERS any flow:to_server, established; content:"DBMS_SCHEDULER.RUN_JOB"; nocase; content:"|28 27|somejobdefinitiong|27 29 3B 20|END|3B 0A|"; fast_pattern:only; nocase; metadata:policy security-ips drop; classtype:attempted-user; 17427 SPECIFIC-THREATS Oracle database DBMS_Scheduler privilege escalation attempt 32396 attempted-user 2008-5409 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pdf; file_data; content:"|25 50 44 46 2D 31 2E 33 0A 25 E2 E3 CF D3 0A 33|"; within:16; content:"|3C 3C 2F 46 69 6C 74 65 72 20 5B 2F 46 6C 61 74 65 44 65 63 6F 64 65 20 2F 41 53 43 49 49 48 65 78 44 65 63 6F 64 65 5D|"; within:40; distance:8; content:"|78 9C ED C2 31 0D 00 00 00 02 A0 4C 6E F6 CF 66 0D 0F 06 4D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 30 4B 03 6A 32|"; within:45; distance:22; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17430 SPECIFIC-THREATS BitDefender Antivirus PDF processing memory corruption attempt 12276 attempted-dos 2005-0094 tcp $EXTERNAL_NET 70 -> $HOME_NET any flow:to_client,established; content:"|30 41 73 09 30 2F 61 61 61 61 61 61 61 61 61 61 61 61 61 61|"; metadata:policy security-ips drop; classtype:attempted-dos; 17432 WEB-MISC Squid Gopher protocol handling buffer overflow attempt 26424 attempted-user 2005-4734 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"IISWebAgent"; nocase; http_uri; content:"Redirect"; nocase; http_uri; content:"url|3D|"; nocase; http_uri; pcre:"/IISWebAgent[^\r\n]*\x2edll\x3F[^\r\n]*?url\x3d[^\r\n]{257}/Ui"; metadata:policy security-ips drop, service http; classtype:attempted-user; 17440 WEB-MISC RSA authentication agent for web redirect buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".lnk"; nocase; http_uri; flowbits:set,http.lnk; flowbits:noalert; classtype:misc-activity; 17441 WEB-MISC .lnk file download attempt 34235 attempted-user 2009-1169 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<xsl|3A|key name=|22|poc|22| match=|22|nodeB|22| use=|22|does_not_exist|28 29 22|/>"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17444 SPECIFIC-THREATS Firefox 3 xsl parsing heap overflow attempt www.mozilla.org/security/announce/2009/mfsa2009-12.html misc-activity 2008-0457 tcp $EXTERNAL_NET any -> $HOME_NET 8443 flow:to_server,established; content:"|17 03 00 02 01 87 09 6B 5D 64 67 5D 86 54 D0 F4 27 EF 2B 32 CA A3 D3 FA 97 AA 40 14 ED 27 15 D2 9B 06 EA 07 09 7D B8 D2 61 69 CD 6D 74 52 F9 8A|"; depth:48; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; classtype:misc-activity; 17445 SPECIFIC-THREATS Symantec Backup Exec System Recovery Manager unauthorized file upload attempt seer.entsupport.symantec.com/docs/297171.htm misc-activity tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any flow:from_server,established; content:"407"; http_stat_code; flowbits:set,http.stat_code_407; flowbits:noalert; classtype:misc-activity; 17447 WEB-MISC 407 Proxy Authentication Required 16407 attempted-user 2006-0468 tcp $EXTERNAL_NET any -> $HOME_NET 389 flow:to_server,established; content:"|80|"; content:"|FF FF FF FF|"; within:8; distance:1; pcre:"/\x80(\x84|\x85\x00|\x86\x00\x00|\x87\x00\x00\x00)\xFF\xFF\xFF\xFF/smi"; metadata:policy security-ips drop, service ldap; classtype:attempted-user; 17450 WEB-MISC CommuniGate Systems CommuniGate Pro LDAP Server buffer overflow attempt www.gleg.net/cg_advisory.txt attempted-user 2009-0850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|1F 8B 08 08 E3 43 C1 49 00 03 3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17458 WEB-CLIENT BitDefender Internet Security script code execution attempt attempted-user 2009-0850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|52 61 72 21 1A 07 00 CF 90|"; within:9; content:"|3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; within:54; distance:43; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17459 WEB-CLIENT BitDefender Internet Security script code execution attempt attempted-user 2009-0850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"PK|03 04 0A|"; within:5; content:"|3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; within:54; distance:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17460 WEB-CLIENT BitDefender Internet Security script code execution attempt 31473 attempted-user 2008-3827 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:".RMF"; within:4; content:"|14 76 69 64 65 6F 2F 78 2D 70 6E 2D 72 65 61 6C 76 69 64 65 6F 00 00 00 1A 59 49 59 55 56 49 44 4F 52 56 32 30 00 01 00 01 00 1E 59 49 59 55 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17469 SPECIFIC-THREATS Mplayer Real Demuxer stream_read heap overflow attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17473 ORACLE DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17474 ORACLE DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17475 ORACLE DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_SUBSCRIBE.PURGE_WINDOW(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17476 ORACLE DBMS_CDC_SUBSCRIBE.PURGE_WINDOW arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17477 ORACLE DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_SUBSCRIBE.SUBSCRIBE(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17478 ORACLE DBMS_CDC_SUBSCRIBE.SUBSCRIBE arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_ISUBSCRIBE.SUBSCRIBE(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17479 ORACLE DBMS_CDC_ISUBSCRIBE.SUBSCRIBE arbitrary command execution attempt 13236 misc-attack 2005-1197 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION(|27 27 27 7C 7C|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17480 ORACLE DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt 15865 attempted-admin 2005-1929 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; isdataat:1420; content:"isaNVWRequest.dll"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:policy security-ips drop, service http; classtype:attempted-admin; 17486 WEB-MISC Trend Micro Control Manager Chunked overflow attempt 19381 attempted-user 2006-4018 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"|34 66 75 67 34 41 74 41 6E 4E 49 62 67 42 54 4D 30 68 56 47|"; content:"|67 68 44 41 6B 43 43 50 51 6F 47 53 35 51 76 6A 52 6F 4B 33|"; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 17493 SPECIFIC-THREATS ClamAV UPX FileHandling Heap overflow attempt 35232 attempted-user 2009-1122 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|6F 76 00 00 19 FE 6D 6F 6F 76 00 00 19 F6 6D 6F|"; content:"|6F 76 00 00 19 CE 6D 6F 6F 76 00 00 19 C6 6D 6F|"; offset:32; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17527 SPECIFIC-THREATS VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow 36384 attempted-admin 2009-2629 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"GET |2F 25|23|2E 2E|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; 17528 SPECIFIC-THREATS nginx URI parsing buffer overflow attempt attempted-admin 2007-2881 tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server, established; content:"|FF FE 32 00 36 00 37 00 00 00|"; depth:72; content:"|20 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 00 00 20 00|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17530 SPECIFIC-THREATS HP OpenView Storage Data Protector Stack Buffer Overflow protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:established,to_server; content:"Content-Type|3A|"; nocase; content:"application/ipp"; distance:1; nocase; flowbits:set,ipp.application; flowbits:noalert; classtype:protocol-command-decode; 17534 MISC IPP Application Content 31690 attempted-user 2008-3640 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:established,to_server; flowbits:isset,ipp.application; content:"printer-uri"; nocase; content:"ipp://"; within:6; distance:2; pcre:"/(((c|l)pi\x00.{1}(-\d|0)\x21)|(columns\x00.{1}(-\d|0)\x21)|(page-(right|left|top|bottom)\x00.{1}(-\d|0|((3-9)\d{5}|24\d{4}|236\d{3}|23593\d{1}|23592(2-9))\x21)))/is"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17535 MISC Apple CUPS Text to PostScript Filter Integer Overflow attempt 33554 attempted-user 2009-0183 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"Authorization|3A 20|Basic"; nocase; isdataat:1332,relative; content:!"|0D 0A 0D 0A|"; within:1332; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17536 WEB-MISC Free Download Manager Remote Control Server HTTP Auth Header buffer overflow attempt protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".lzh"; nocase; http_uri; flowbits:set,http.lzh; flowbits:noalert; classtype:protocol-command-decode; 17540 WEB-CLIENT LZH file download 19903 attempted-admin 2006-4626 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.lzh; content:"|19 4C 2D 6C 68 30 2D 53 0C 00 00 2C 00 00 00 28 94 28 35 20|"; depth:20; metadata:policy security-ips drop, service http; classtype:attempted-admin; 17541 SPECIFIC-THREATS Avast! Antivirus Engine Remote LHA buffer overflow attempt 37985 attempted-dos 2010-0304 udp $EXTERNAL_NET any -> $HOME_NET 921 content:"|00 00 01 5D 00 00 00 00 4B 49 1C 52 00 01 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 17544 SPECIFIC-THREATS Wireshark LWRES Dissector getaddrsbyname buffer overflow attempt 27403 attempted-dos 2008-0387 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:established,to_server; content:"|00 00 00 18 00 00 61 61 00 00 61 61|"; depth:12; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-dos; 17556 SPECIFIC-THREATS Firebird database invalid state memory corruption 28544 attempted-user 2008-1373 tcp $EXTERNAL_NET any -> $HOME_NET 631 flow:to_server,established; content:"GIF89a"; content:"|3A 00 0B 00 00 0D 2C 00 FF|"; within:1024; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17558 SPECIFIC-THREATS CUPS Gif Decoding Routine Buffer Overflow attempt 28454 attempted-admin 2007-5405 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"Content-Transfer-Encoding|3A 20|quoted-printable|0D 0A|"; nocase; content:"Content-Disposition|3A 20|attachment"; distance:0; nocase; content:"|2A|BEGIN GRAPHICS VERSION"; within:23; distance:25; nocase; pcre:"/VERSION\x3d3D\d{3}[^\r\n]*\r\n/i"; content:"ENCODING"; within:8; nocase; pcre:"/^\x3d3D7BIT[^\r\n]{20}/Ri"; metadata:policy security-ips drop, service smtp; classtype:attempted-admin; 17559 SPECIFIC-THREATS IBM Lotus Notes Applix Graphics Parsing Buffer Overflow 32438 attempted-user 2008-5381 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"6BF52A52-394A-11d3-B153-00C04F79FAA6"; fast_pattern:only; nocase; content:"<param "; nocase; content:"URL"; distance:0; nocase; pcre:"/<param\s+name\s*=\s*(?P<q1>\x22|\x27|)URL(?P=q1)[^>]+?value\s*=\s*(\x22|\x27)[^\x22\x27]{500}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17573 WEB-CLIENT ffdshow codec URL parsing buffer overflow attempt 12749 misc-attack 2005-0701 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"UTL_FILE.FOPEN"; nocase; content:"|5C 5C 2E 5C|"; distance:0; fast_pattern; pcre:"/UTL_FILE\.FOPEN\s*\x28(?P<q1>\x22|\x27).*?(?P=q1)[\s\x40]*\x2C[\s\x40]*[\x22\x27]\x5C\x5C\x2E\x5C/smi"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:misc-attack; 17584 ORACLE UTL_FILE directory traversal attempt 19586 attempted-dos 2006-4257 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:established,to_server; content:"|D0|"; content:"|10 6D|"; within:2; distance:5; content:!"|21 10|"; flowbits:set,ibmdb2.accsec; flowbits:noalert; metadata:policy security-ips drop; classtype:attempted-dos; 17598 SPECIFIC-THREATS IBM DB2 Universal Database accsec command without rdbnam 19586 attempted-dos 2006-4257 tcp $EXTERNAL_NET any -> $HOME_NET 50000 flow:established,to_server; flowbits:isset,ibmdb2.accsec; content:"|D0|"; content:"|10 6D|"; within:2; distance:5; content:"|21 10|"; distance:0; metadata:policy security-ips drop; classtype:attempted-dos; 17599 SPECIFIC-THREATS IBM DB2 Universal Database rdbname denial of service attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server, established; content:".xul"; http_uri; pcre:"/.xul([\?\x5c\x2f]|$)/Usi"; flowbits:set, xul.download; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 17600 WEB-CLIENT .xul document retrieval 30994 attempted-dos 2008-1389 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client, established; content:"ITSF"; content:"|11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; within:16; distance:36; content:"ITSP"; distance:0; byte_test:4,<,8,12,relative,little; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-dos; 17602 WEB-CLIENT ClamAV antivirus CHM file handling denial of service sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661 40617 attempted-user tcp $EXTERNAL_NET any -> $HOME_NET 4662 flow:to_server,established; content:"|E3|"; depth:1; content:"|01|"; within:1; distance:4; content:"|74 65 73 74 03 01 00 11 3C 00|"; within:10; distance:32; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 17607 SPECIFIC-THREATS Xi Software Net Transport eDonkey Protocol Buffer Overflow attempt 17246 attempted-admin 2006-1705 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server, established; content:"CREATE VIEW"; nocase; content:"FROM"; distance:0; nocase; content:"sys.testtable t1, sys.testtable t2"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17619 ORACLE database server crafted view privelege escalation attempt 26108 attempted-dos 2007-5530 tcp $EXTERNAL_NET any -> $HOME_NET 1521 flow:to_server,established; content:"|06 00|"; depth:2; offset:4; byte_test:1,&,2,3,relative; metadata:policy security-ips drop; classtype:attempted-dos; 17625 ORACLE Oracle Database Core RDBMS component denial of service attempt 28990 attempted-admin 2008-2214 udp $EXTERNAL_NET any -> $HOME_NET 162 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17632, service snmp, policy balanced-ips drop, policy security-ips drop; 17632 SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow attempted-user 2009-0195 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"JBIG2Decode"; content:"|03 FF FD FF 02 FE FE FE 00 00 00 36 FF FF FF F0 94 6B 62 1B|"; within:1000; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17641 SPECIFIC-THREATS CUPS and Xpdf JBIG2 symbol dictionary buffer overflow attempt www.cups.org/str.php?L3129 12771 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"|50 4B 03 04 0A 00 00 00 00 00 E0 98 B8 28 00 00 00 00 44 00 00 00 44 00 00 00 09 00 00 00 65 69 63 61 72 2E 63 6F 6D 58|"; within:40; metadata:policy security-ips drop, service http; classtype:attempted-user; 17651 SPECIFIC-THREATS Multiple AV vendor invalid archive checksum bypass attempt archives.neohapsis.com/archives/fulldisclosure/2005-03/0207.html 16287 string-detect 2006-0272 tcp $EXTERNAL_NET any -> $SQL_SERVERS any flow:established,to_server; content:"xdb.dbms_xmlschema.generateschema"; nocase; pcre:"/\s*\x28\x27[^\x27]/R"; isdataat:64,relative; metadata:policy balanced-ips drop, policy security-ips drop; classtype:string-detect; 17659 ORACLE xdb.dbms_xmlschema buffer overflow attempt 26791 attempted-admin 2007-6015 udp $EXTERNAL_NET any -> $HOME_NET 138 content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON"; nocase; pcre:"/^\x00+/R"; content:"|12 00 00 00|"; within:4; pcre:"/^\x00\x00\x00\x00[^\x00]{260}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service netbios-dgm; classtype:attempted-admin; 17661 EXPLOIT Samba send_mailslot buffer overflow attempt attempted-user 2008-3639 tcp $EXTERNAL_NET any -> $HOME_NET 631 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17663, policy balanced-ips drop, policy security-ips drop; 17663 EXPLOIT Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt 34461 attempted-admin 2009-0993 tcp $EXTERNAL_NET any -> $HOME_NET [6000:6199] flow:to_server,established; content:"HTTP"; nocase; content:"%n%s%n%s%n%s"; fast_pattern:only; pcre:"/^(GET|POST|HEAD)\s+[^\x25]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-admin; 17669 SPECIFIC-THREATS Oracle Application Server 10g OPMN service format string vulnerability exploit attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server, established; content:".dmg"; nocase; http_uri; flowbits:set,http.dmg; flowbits:noalert; classtype:misc-activity; 17679 WEB-MISC Apple disk image download request unknown tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:unknown; flowbits:set,httpifnonematch; flowbits:noalert; metadata: engine shared, soid 3|17681, service http; 17681 MISC TRUFFLEHUNTER SFVRT-1008 attack attempt unknown tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:unknown; flowbits:set,httpifnonematch; flowbits:noalert; metadata: engine shared, soid 3|17683, service http; 17683 MISC TRUFFLEHUNTER SFVRT-1008 attack attempt 10243 attempted-user 2005-0643 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"-lh0-"; nocase; content:"AAAAAAAA"; within:50; metadata:policy security-ips drop, service http; classtype:attempted-user; 17704 SPECIFIC-THREATS McAfee LHA file parsing buffer overflow attempt 26146 attempted-user 2007-5544 tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"attachment|3B|"; content:"filename=|22|poc.wpd|22|"; distance:0; content:"00=00=c9mup=B6=89a=88"; distance:0; nocase; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 17716 SPECIFIC-THREATS IBM Lotus Notes DOC attachment viewer buffer overflow 33177 attempted-admin 2008-3979 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"cast_to_raw|28 27|CgkJCUNSRUFU"; metadata:policy security-ips drop; classtype:attempted-admin; 17718 SPECIFIC-THREATS Oracle MDSYS drop table trigger injection attempt 27229 attempted-admin 2008-0339 tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"XDB.XDB_PITRIG_PKG.PITRIG_"; nocase; pcre:"/XDB\x2EXDB_PITRIG_PKG\x2EPITRIG_(DROP|TRUNCATE)\s*\x28[^\x29]*\x27[^\x27]{800}/smi"; metadata:policy security-ips drop; classtype:attempted-admin; 17722 ORACLE Oracle XDB.XDB_PITRIG_PKG buffer overflow attempt www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html 24004 attempted-user 2007-2788 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,java_class_file.request; content:"|BC 08 59 03 02 54 59 04 10 D8 54 59 05 02 54 59|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:attempted-user; 17727 SPECIFIC-THREATS Sun JDK image parsing library ICC buffer overflow attempt scary.beasts.org/security/CESA-2006-004.html attempted-admin 2009-0093 udp $EXTERNAL_NET any -> $HOME_NET 53 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17731, service dns, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 17731 BAD-TRAFFIC wpad dynamic update request www.microsoft.com/technet/security/bulletin/MS09-008.mspx protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".tif"; nocase; http_uri; flowbits:set,http.tiff; flowbits:noalert; classtype:protocol-command-decode; 17732 WEB-CLIENT TIFF file request misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|2E|xml"; nocase; http_uri; pcre:"/^[^\?]*\.xml([\?\x5c\x2f]|$)/Usi"; flowbits:set,xml.download; flowbits:noalert; metadata:service http; classtype:misc-activity; 17733 WEB-MISC XML file download request 12832 attempted-user 2005-0644 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:to_server,established; content:"IcMtbGgwLRgAAAAFAAAA+rttMCABCHRlc3RmaWxl+BtVBQBQtIGUAQFVVVVV"; metadata:policy security-ips drop, service smtp; classtype:attempted-user; 17736 SPECIFIC-THREATS McAfee LHA Type-2 file handling overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 443 flow:established, to_server; ssl_version:tls1.0; content:"|16 03 01|"; depth:3; content:"|0B|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.certificate; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 17748 WEB-MISC TLSv1 Client_Certificate handshake protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".otf"; nocase; http_uri; flowbits:set,http.otf; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:protocol-command-decode; 17751 WEB-CLIENT OpenType Font file download request denial-of-service 2010-2741 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:denial-of-service; flowbits:isset,http.otf; metadata: engine shared, soid 3|17752, service http, policy balanced-ips drop, policy security-ips drop; 17752 EXPLOIT OpenType Font file parsing denial of service attempt www.microsoft.com/technet/security/Bulletin/MS10-078.mspx attempted-user 2010-2740 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.otf; metadata: engine shared, soid 3|17765, service http, policy balanced-ips drop, policy security-ips drop; 17765 WEB-CLIENT OpenType Font file parsing buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS10-078.mspx attempted-user 2010-3243 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17766, service http, policy security-ips drop; 17766 EXPLOIT IE8 XSS in toStaticHTML API attempt www.microsoft.com/technet/security/bulletin/MS10-072.mspx attempted-user 2010-3324 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17767, service http, policy balanced-ips drop, policy security-ips drop; 17767 EXPLOIT IE8 XSS in toStaticHTML API 2 attempt www.microsoft.com/technet/security/bulletin/MS10-072.mspx attempted-user 2010-3243 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17768, service http, policy balanced-ips drop, policy security-ips drop; 17768 EXPLOIT IE8 object event handler use after free exploit attempt www.microsoft.com/technet/security/bulletin/MS10-071.mspx attempted-user 2010-3328 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17769, service http, policy balanced-ips drop, policy security-ips drop; 17769 EXPLOIT IE8 CSS invalid mapping exploit attempt www.microsoft.com/technet/security/bulletin/MS10-XXX.mspx attempted-user 2010-3325 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|17774, service http, policy balanced-ips drop, policy security-ips drop; 17774 EXPLOIT IE8 CSS XSRF exploit attempt www.microsoft.com/technet/security/bulletin/MS10-071.mspx attempted-user 2009-0850 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"PK|03 04 0A|"; content:"|3C 68 31 3E 20 69 64 3D 22 68 65 61 64 65 72 22 20 6F 6E 6D 6F 75 73 65 6D 6F 76 65 3D 22 61 6C 65 72 74 28 27 41 73 73 75 72 65 6E 74 20 53 65 63 75 72 65 20 54|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; 17778 SPECIFIC-THREATS BitDefender Internet Security script code execution attempt protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"application/x-director"; fast_pattern:only; flowbits:set,http.dir; flowbits:noalert; classtype:protocol-command-decode; 17801 WEB-CLIENT Director Movie File Embeded protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".DCR"; nocase; http_uri; flowbits:set,http.dir; flowbits:noalert; classtype:protocol-command-decode; 17802 WEB-CLIENT Director Movie File Download suspicious-filename-detect tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/server32.exe"; nocase; http_uri; metadata:policy connectivity-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17810 WEB-MISC potential malware - download of server32.exe en.wikipedia.org/wiki/Zeus_(trojan_horse) suspicious-filename-detect tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/svchost.exe"; nocase; http_uri; metadata:policy connectivity-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17811 WEB-MISC potential malware - download of svchost.exe suspicious-filename-detect tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/iexplore.exe"; nocase; http_uri; metadata:policy connectivity-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17812 WEB-MISC potential malware - download of iexplore.exe suspicious-filename-detect tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/iprinp.dll"; nocase; http_uri; metadata:policy connectivity-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17813 WEB-MISC potential malware - download of iprinp.dll suspicious-filename-detect tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/winzf32.dll"; nocase; http_uri; metadata:policy connectivity-ips drop, policy security-ips drop, service http; classtype:suspicious-filename-detect; 17814 WEB-MISC potential malware - download of winzf32.dll trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"index_new.php"; nocase; http_uri; content:"id=roger"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 17815 SPYWARE-PUT Thinkpoint fake antivirus - user display www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"bill.php"; nocase; http_uri; content:"cs1=roger"; nocase; http_client_body; content:"product_id="; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 17816 SPYWARE-PUT Thinkpoint fake antivirus - credit card submission www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99 trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|30 B6 AD D9 C7 B7 41 8E 75 6E 65 78 70 30 65 B4 26 6D|"; content:"|BA 3A 0D 0A 4F E8 7A 65 7E 66 B5 05 EF AD 61 49 C9 80 75 6D 58|"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 17817 SPECIFIC-THREATS Thinkpoint fake antivirus binary download www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99 attempted-user 2010-3337 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18071, service http, policy balanced-ips drop, policy security-ips drop; 18071 WEB-CLIENT pptimpconv.dll access www.microsoft.com/technet/security/bulletin/MS10-089.mspx attempted-admin 2010-2734 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|18074, service http, policy balanced-ips drop, policy security-ips drop; 18074 WEB-CLIENT Forefront UAG URL XSS attempt www.microsoft.com/technet/security/bulletin/MS10-089.mspx attempted-admin 2010-3936 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|18076, service http, policy balanced-ips drop, policy security-ips drop; 18076 WEB-CLIENT Forefront UAG URL XSS alternate attempt www.microsoft.com/technet/security/bulletin/MS10-089.mspx 18165 attempted-dos 2006-2723 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"document.write|28 27|<html><marquee><h1>|27|+buffer+buffer|29 3B|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-dos; 18188 SPECIFIC-THREATS Multiple browser marquee tag denial of service attempt attempted-user 2010-3144 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18202, service http, policy security-ips drop; 18202 WEB-CLIENT Windows Address Book smmscrpt.dll malicious DLL load www.microsoft.com/technet/security/bulletin/MS10-097.mspx attempted-user 2010-3147 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18204, service http, policy security-ips drop; 18204 WEB-CLIENT Windows Address Book wab32res.dll malicious DLL load www.microsoft.com/technet/security/bulletin/MS10-096.mspx attempted-user 2010-3147 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18205, service http, policy security-ips drop; 18205 WEB-CLIENT Windows Address Book msoeres32.dll malicious DLL load www.microsoft.com/technet/security/bulletin/MS10-096.mspx attempted-user 2010-3966 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:attempted-user; metadata: engine shared, soid 3|18208, service http, policy security-ips drop; 18208 WEB-CLIENT Windows 7 Home peerdist.dll dll-load exploit attempt www.microsoft.com/technet/security/bulletin/MS10-095.mspx attempted-user 2010-2569 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pub; metadata: engine shared, soid 3|18212, service http, policy balanced-ips drop, policy security-ips alert; 18212 SPECIFIC-THREATS MS Publisher tyo.oty field heap overflow attempt www.microsoft.com/technet/security/bulletin/MS10-103.mspx attempted-user 2010-2570 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pub; metadata: engine shared, soid 3|18213, service http, policy balanced-ips drop, policy security-ips alert; 18213 SPECIFIC-THREATS MS Publisher column and row remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-103.mspx attempted-user 2010-2571 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.pub; metadata: engine shared, soid 3|18214, service http, policy balanced-ips drop, policy security-ips alert; 18214 SPECIFIC-THREATS MS Publisher 97 conversion remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-103.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:".pct"; nocase; http_uri; flowbits:set,http.pct; flowbits:noalert; metadata:policy security-ips alert, service http; classtype:misc-activity; 18234 WEB-MISC QuickDraw/PICT file download request trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| ErrCode"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; 18247 BLACKLIST USER-AGENT known malicious User-Agent ErrCode - W32/Fujacks.htm www.mcafee.com/threat-intelligence/malware/default.aspx?id=141161 9576 misc-attack 2006-2162 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"Content-Length|3A|"; nocase; byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:policy security-ips drop; classtype:misc-attack; 2278 WEB-MISC client negative Content-Length attempt successful-user tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:successful-user; 2412 ATTACK-RESPONSES successful cross site scripting forced download attempt 9382 attempted-admin 2004-0045 tcp $EXTERNAL_NET any -> $HOME_NET 119 flow:to_server,established; content:"newgroup"; fast_pattern:only; pcre:"/^newgroup\x3a[^\n]{32}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service nntp; classtype:attempted-admin; 2430 NNTP newgroup overflow attempt 11984 9382 attempted-admin 2004-0045 tcp $EXTERNAL_NET any -> $HOME_NET 119 flow:to_server,established; content:"rmgroup"; fast_pattern:only; pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service nntp; classtype:attempted-admin; 2431 NNTP rmgroup overflow attempt 11984 protocol-command-decode tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 2520 WEB-MISC SSLv3 Client_Hello request protocol-command-decode tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; 2521 WEB-MISC SSLv3 Server_Hello request attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/NessusTest"; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-recon; 2585 WEB-MISC nessus 2.x 404 probe 10386 11015 attempted-admin 2004-0826 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0; flowbits:set,sslv2.client_hello.request; flowbits:noalert; byte_test:2,>,32,9; metadata:service ssl; classtype:attempted-admin; 2656 WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 2658 WEB-MISC SSLv2 Client_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 2659 WEB-MISC SSLv2 Client_Hello with pad request protocol-command-decode tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; 2660 WEB-MISC SSLv2 Server_Hello request protocol-command-decode tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 2661 WEB-MISC TLSv1 Client_Hello request protocol-command-decode tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 2662 WEB-MISC TLSv1 Server_Hello request 11173 attempted-user 2004-0200 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"Content-Type"; nocase; http_header; content:"image/"; nocase; http_header; pcre:"/^Content-Type\x3A\s*image\x2F/smiH"; file_data; content:"|FF D8|"; within:2; fast_pattern; pcre:"/^.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR"; metadata:policy security-ips drop; classtype:attempted-user; 2705 WEB-CLIENT JPEG parser heap overflow attempt www.microsoft.com/security/bulletins/200409_jpeg.mspx misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 20034 flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; 3009 BACKDOOR NetBus Pro 2.0 connection request misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 22222 flow:to_server,established; content:"WINDIR"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3010 BACKDOOR RUX the Tick get windows directory attempt misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 22222 flow:to_server,established; content:"SYSDIR"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3011 BACKDOOR RUX the Tick get system directory attempt misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 22222 flow:to_server,established; content:"ABCJZDATEIV"; depth:11; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3012 BACKDOOR RUX the Tick upload/execute arbitrary file attempt misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 23432 flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3013 BACKDOOR Asylum 0.1 connection request misc-activity tcp $HOME_NET 23432 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3014 BACKDOOR Asylum 0.1 connection established misc-activity tcp $HOME_NET 2000 -> $EXTERNAL_NET any flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3015 BACKDOOR Insane Network 4.0 connection established misc-activity tcp $HOME_NET 63536 -> $EXTERNAL_NET any flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3016 BACKDOOR Insane Network 4.0 connection established port 63536 protocol-command-decode tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 3059 WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 1020 flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 3063 BACKDOOR Vampire 1.2 connection request misc-activity tcp $HOME_NET 1020 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; metadata:policy security-ips drop; classtype:misc-activity; 3064 BACKDOOR Vampire 1.2 connection confirmation misc-activity tcp $HOME_NET 5880 -> $EXTERNAL_NET any flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3081 BACKDOOR Y3KRAT 1.5 Connect misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 5880 flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3082 BACKDOOR Y3KRAT 1.5 Connect Client Response misc-activity tcp $HOME_NET 5880 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 3083 BACKDOOR Y3KRAT 1.5 Connection confirmation 11523 attempted-user 2007-5503 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:policy security-ips drop; classtype:attempted-user; 3132 WEB-CLIENT PNG large image width download attempt www.microsoft.com/technet/security/bulletin/MS05-009.mspx 11523 attempted-user 2007-5503 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,4,relative; metadata:policy security-ips drop; classtype:attempted-user; 3133 WEB-CLIENT PNG large image height download attempt www.microsoft.com/technet/security/bulletin/MS05-009.mspx 5874 attempted-user 2004-1043 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; metadata:policy security-ips drop; classtype:attempted-user; 3148 WEB-CLIENT winhelp clsid attempt www.ngssoftware.com/advisories/ms-winhlp.txt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 31337 flow:to_server,established; content:"1j|D0 D9|"; metadata:policy security-ips drop; classtype:trojan-activity; 3155 BACKDOOR BackOrifice 2000 Inbound Traffic protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"image/"; nocase; http_header; pcre:"/^Content-Type\x3a(\s*|\s*\r?\n\s+)image\x2fgif/smiH"; flowbits:set,http.gif; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:protocol-command-decode; 3535 WEB-CLIENT GIF transfer not-suspicious tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".hta"; nocase; http_uri; pcre:"/\.hta(\b|$)/Ui"; flowbits:set,http.hta; flowbits:noalert; metadata:policy security-ips drop; classtype:not-suspicious; 3551 WEB-CLIENT .hta download attempt 11171 attempted-admin 2008-3015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"image/bmp"; nocase; http_header; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)image\x2fbmp/smiH"; file_data; content:"BM"; distance:0; byte_test:4,>,83386080,16,relative,little; metadata:policy security-ips drop; classtype:attempted-admin; 3632 WEB-CLIENT Bitmap width integer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-052.mspx protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)image\x2fbmp/smi"; flowbits:set,http.bmp; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 3633 WEB-CLIENT bitmap transfer 11171 attempted-admin 2008-3015 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.bmp; content:"BM"; byte_test:4,>,83386080,16,relative,little; metadata:policy security-ips drop; classtype:attempted-admin; 3634 WEB-CLIENT Bitmap width integer overflow multipacket attempt www.microsoft.com/technet/security/bulletin/MS08-052.mspx trojan-activity tcp $HOME_NET 23032 -> $EXTERNAL_NET any flow:from_server,established; content:"Connected To Amanda 2.0"; depth:23; metadata:policy security-ips drop; classtype:trojan-activity; 3635 BACKDOOR Amanda 2.0 connection established trojan-activity tcp $HOME_NET 17499 -> $EXTERNAL_NET any flow:from_server,established; content:"Crazzynet"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; 3636 BACKDOOR Crazzy Net 5.0 connection established 2524 attempted-admin 2001-0154 tcp $EXTERNAL_NET 80 -> $HOME_NET any flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; content:"audio/"; fast_pattern; nocase; http_header; pcre:"/Content-Type\x3A\s+audio\/(x-wav|mpeg|x-midi)/iH"; content:"filename="; nocase; http_header; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/Hi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; 3683 WEB-CLIENT spoofed MIME-Type auto-execution attempt www.microsoft.com/technet/security/bulletin/MS01-020.mspx protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"text/plain"; nocase; http_header; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)text\x2fplain/smiH"; flowbits:set,chm_content_type; flowbits:noalert; classtype:protocol-command-decode; 3819 WEB-CLIENT multipacket CHM file transfer start 13953 attempted-user 2005-1208 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"text/plain"; nocase; http_header; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)text\x2fplain/smiH"; pcre:"/^ITSF/sm"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 3821 WEB-CLIENT CHM file transfer attempt 18482 www.microsoft.com/technet/security/bulletin/ms05-026.mspx protocol-command-decode tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".rt"; nocase; http_uri; pcre:"/\S{190}.rt/Usmi"; flowbits:set,realtext.request; flowbits:noalert; metadata:service http; classtype:protocol-command-decode; 3822 WEB-MISC Real Player realtext long URI request 14594 attempted-user 2005-2127 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si"; metadata:policy security-ips drop; classtype:attempted-user; 4132 WEB-CLIENT msdds clsid attempt www.microsoft.com/technet/security/bulletin/MS05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"083863F1-70DE-11d0-BD40-00A0C911CE86"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083863F1-70DE-11d0-BD40-00A0C911CE86/si"; metadata:policy security-ips drop; classtype:attempted-user; 4133 WEB-CLIENT devenum clsid attempt www.microsoft.com/technet/security/bulletin/MS05-038.mspx 14511 attempted-user 2005-1990 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/si"; metadata:policy security-ips drop; classtype:attempted-user; 4134 WEB-CLIENT blnmgr clsid attempt www.microsoft.com/technet/security/bulletin/MS05-038.mspx 13389 attempted-dos 2005-1279 tcp $EXTERNAL_NET any -> $HOME_NET 646 flow:stateless; content:"|00 00|"; depth:2; offset:12; metadata:policy security-ips drop; classtype:attempted-dos; 4140 DOS tcpdump tcp LDP print zero length message denial of service attempt www.frsirt.com/english/advisories/2005/0410 13389 attempted-dos 2005-1279 udp $EXTERNAL_NET any -> $HOME_NET 646 flow:to_server; content:"|00 00|"; depth:2; offset:12; metadata:policy security-ips drop; classtype:attempted-dos; 4141 DOS tcpdump udp LDP print zero length message denial of service attempt www.frsirt.com/english/advisories/2005/0410 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|02|"; depth:1; pcre:"/\x02[^\x0a]+\x3a[^\x0a]+\x0a/"; flowbits:set,lp.cascade; flowbits:noalert; classtype:protocol-command-decode; 4143 EXPLOIT lpd receive printer job cascade adaptor protocol request protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"text/plain"; nocase; http_header; pcre:"/^Content-type\x3a(\s*|\s*\r?\n\s+)text\x2fplain/smiH"; flowbits:set,bookmark_link_content_type; flowbits:noalert; metadata:policy security-ips drop; classtype:protocol-command-decode; 4194 WEB-CLIENT multipacket CBO CBL CBM file transfer start 13944 attempted-user 2006-3448 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,bookmark_link_content_type; content:"Interactive Training]"; pcre:"/\[(Microsoft |Microsoft Press )?Interactive Training\]/"; metadata:policy security-ips drop; classtype:attempted-user; 4195 WEB-CLIENT multipacket CBO CBL CBM file transfer attempt 18492 www.microsoft.com/technet/security/bulletin/MS05-031.mspx 15070 attempted-user 2005-2122 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,!&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; classtype:attempted-user; 4643 WEB-CLIENT malformed windows shortcut file buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS05-049.mspx 15070 attempted-user 2005-2122 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"L|00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00|F"; byte_test:1,&,4,0,relative,little; byte_jump:2,56,relative,little; byte_jump:2,0,relative,little; byte_jump:2,-2,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,multiplier 2,little; byte_jump:2,0,relative,little; content:"|CC 00 00 00|"; within:4; distance:-2; isdataat:72,relative; content:!"|00 00|"; within:32; distance:40; metadata:policy security-ips drop; classtype:attempted-user; 4644 WEB-CLIENT malformed windows shortcut file with comment buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS05-049.mspx 1806 bad-unknown tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any flow:established; content:"Command completed"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; 494 ATTACK-RESPONSES command completed 1806 bad-unknown 2000-0884 tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any flow:established; content:"1 file|28|s|29| copied"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; 497 ATTACK-RESPONSES file copied ok bad-unknown ip any any -> any any content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; 498 ATTACK-RESPONSES id check returned root 16074 web-application-attack 2005-4560 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|01 00 09 00 00 03|R|1F 00 00 06 00|=|00 00 00 00 00|"; content:"&|06 09 00 16 00|"; metadata:policy security-ips drop; classtype:web-application-attack; 5319 WEB-CLIENT Metasploit Windows picture and fax viewer wmf arbitrary code execution attempt www.microsoft.com/technet/security/bulletin/ms06-001.mspx 16516 attempted-admin 2006-0020 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|D7 CD C6 9A|"; byte_test:2,<,8,25,relative,little; metadata:policy security-ips drop, service http; classtype:attempted-admin; 5713 WEB-CLIENT Windows Metafile invalid header size integer overflow www.microsoft.com/technet/security/bulletin/ms06-004.mspx successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A| SoftActivity Mailer"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 5742 SPYWARE-PUT Keylogger activitylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453080822 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gate.php?plugin="; nocase; http_uri; content:"Host|3A| www.actualnames.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5743 SPYWARE-PUT Hijacker actualnames runtime detection - plugin list www3.ca.com/securityadvisor/pest/pest.aspx?id=453074941 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/lzRedirect.cgi"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"act="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5745 SPYWARE-PUT Hijacker adultlinks runtime detection - redirect www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/logurl/loadURL/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5746 SPYWARE-PUT Hijacker adultlinks runtime detection - load url www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/hits/log.cgi/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5747 SPYWARE-PUT Hijacker adultlinks runtime detection - log hits www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/exit/exit.html?act="; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5748 SPYWARE-PUT Hijacker adultlinks runtime detection - ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Infospace Toolbar"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5750 SPYWARE-PUT Adware dogpile runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/d/search/p/exactad/?Keywords="; fast_pattern; nocase; http_uri; content:"Partners=exactad"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5751 SPYWARE-PUT Adware exactsearch runtime detection - switch search engine 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/setup.asp?src=exact&query="; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5752 SPYWARE-PUT Adware exactsearch runtime detection - switch search engine 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?Keywords="; fast_pattern; nocase; http_uri; content:"partner=bar"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5753 SPYWARE-PUT Adware exactsearch runtime detection - topsearches www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/shdoclc.fcgi?"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fshdoclc\.fcgi/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5754 SPYWARE-PUT Hijacker ezcybersearch runtime detection - ie auto search hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk.fcgi"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk\.fcgi/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5755 SPYWARE-PUT Hijacker ezcybersearch runtime detection - check update www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/fav.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Ffav\.fcgi/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5756 SPYWARE-PUT Hijacker ezcybersearch runtime detection - add coolsites to ie favorites www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk_bar.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk_bar\.fcgi/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5757 SPYWARE-PUT Hijacker ezcybersearch runtime detection - check toolbar setting www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/b.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fb\.fcgi/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5758 SPYWARE-PUT Hijacker ezcybersearch runtime detection - download fastclick pop-under code www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"STOR"; nocase; content:"FKS_"; distance:0; nocase; pcre:"/^STOR\s+FKS_\w+_\d+-\d+-\d+\.log/i"; metadata:policy security-ips drop; classtype:successful-recon-limited; 5759 SPYWARE-PUT Keylogger fearlesskeyspy runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076298 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/w/pop.cgi?"; http_uri; content:"sid="; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"bearshare"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5761 SPYWARE-PUT Trickler bearshare runtime detection - ads popup www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gwcache/lynnx.asp?"; fast_pattern; nocase; http_uri; content:"client=BEAR"; nocase; http_uri; content:"version="; nocase; http_uri; content:"urlfile="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5762 SPYWARE-PUT Trickler bearshare runtime detection - p2p information request www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/chat/chat.php"; nocase; http_uri; content:"nick="; nocase; content:"initchan=BearShare"; distance:0; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5763 SPYWARE-PUT Trickler bearshare runtime detection - chat request www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/ico/"; nocase; http_uri; content:".ico"; nocase; http_uri; pcre:"/\x2Ftoolbar\x2Fico\x2F[a-zA-Z0-9_%]*\.ico/Ui"; content:"Host|3A| begin2search.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5765 SPYWARE-PUT Hijacker begin2search runtime detection - ico query www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/install.php?"; fast_pattern; nocase; http_uri; content:"afid=b2search"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"version="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5766 SPYWARE-PUT Hijacker begin2search runtime detection - install spyware trafficsector www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".compress"; nocase; http_uri; pcre:"/\x2F(dist|SupportFiles)\x2F[^\r\n]*\.compress/Ui"; content:"User-Agent|3A| NSISDL"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5767 SPYWARE-PUT Hijacker begin2search runtime detection - download unauthorized code www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/client/fcgi/stats-post2.fcgi"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| WebConnLib"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 5768 SPYWARE-PUT Hijacker begin2search runtime detection - pass information www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/adpage2.asp?sourceid="; nocase; http_uri; content:"Host|3A| www.take5bingo.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5769 SPYWARE-PUT Hijacker begin2search runtime detection - play bingo ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/logs7.asp"; nocase; http_uri; content:"User-Agent|3A| Casino"; nocase; http_header; content:"MsgID="; nocase; http_header; content:"Data="; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5770 SPYWARE-PUT Snoopware casinoonnet runtime detection www.spywareguide.com/product_show.php?id=1254 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; content:"|00 00 05 00 00 00|"; depth:8; offset:2; nocase; flowbits:set,Farsighter; flowbits:noalert; classtype:successful-recon-limited; 5771 SPYWARE-PUT Screen-Scraper farsighter runtime detection - initial connection www.spywareguide.com/product_show.php?id=587 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Dripline"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5773 SPYWARE-PUT Adware forbes runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075448 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/getcard.php?uid="; nocase; http_uri; content:"User-Agent|3A| FSW"; nocase; http_header; content:"Host|3A| www.freescratchandwin.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5774 SPYWARE-PUT Hijacker freescratch runtime detection - get card www3.ca.com/securityadvisor/pest/pest.aspx?id=453073903 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scratch.php?uid="; nocase; http_uri; content:"Host|3A| www.freescratchandwin.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5775 SPYWARE-PUT Hijacker freescratch runtime detection - scratch card www3.ca.com/securityadvisor/pest/pest.aspx?id=453073903 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"P2P-Agent|3A| Grokster"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5776 SPYWARE-PUT Trickler grokster runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453060425 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A| GURL Watcher"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5777 SPYWARE-PUT Keylogger gurl watcher runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453080847 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWPE Windows Activity LOG"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5778 SPYWARE-PUT Keylogger runtime detection - hwpe windows activity logs www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWPE Shell/File LOG"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5779 SPYWARE-PUT Keylogger runtime detection - hwpe shell file logs www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE Windows Activity LOG"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5781 SPYWARE-PUT Keylogger runtime detection - hwae windows activity logs www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE Keystrokes LOG"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5783 SPYWARE-PUT Keylogger runtime detection - hwae keystrokes log www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE URLS Browsed LOG"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5784 SPYWARE-PUT Keylogger runtime detection - hwae urls browsed log www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xml/hithopper.xml"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5785 SPYWARE-PUT Adware hithopper runtime detection - get xml setting www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/redirectf.php3?"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"id="; nocase; http_uri; content:"adid="; nocase; http_uri; content:"search_parsed="; nocase; http_uri; content:"rank="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5786 SPYWARE-PUT Adware hithopper runtime detection - redirect www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"?search="; nocase; http_uri; content:"Host|3A| www.hithopper.com"; fast_pattern:only; pcre:"/\x2Fs(earch)?\x2Ephp3?\x3Fsearch\x3D/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5787 SPYWARE-PUT Adware hithopper runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xml/toolbar/"; nocase; http_uri; content:"Host|3A| www.hithopper.com"; fast_pattern:only; pcre:"/\x2Fxml\x2Ftoolbar\x2F(sports)|(news)|(horoscope2)|(horoscope)|(weather2)|(weather)\.php/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5788 SPYWARE-PUT Adware hithopper runtime detection - click toolbar buttons www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index_a.htm"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"ActMon"; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5789 SPYWARE-PUT keylogger pc actmon pro runtime detection - http www.spywareguide.com/product_show.php?id=1989 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/getpin.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5791 SPYWARE-PUT Dialer pluginaccess runtime detection - get pin www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/activeproxy.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; content:"resdir="; nocase; http_uri; content:"selectbox="; nocase; http_uri; content:"lmi="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5792 SPYWARE-PUT Dialer pluginaccess runtime detection - active proxy www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dlrdir.html?"; fast_pattern; nocase; http_uri; content:"DiallerIP="; nocase; http_uri; content:"dialled="; nocase; http_uri; content:"site="; nocase; http_uri; content:"did="; nocase; http_uri; content:"country="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5793 SPYWARE-PUT Dialer pluginaccess runtime detection - redirect www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/open_console_out.php"; fast_pattern; nocase; http_uri; content:"n="; nocase; http_uri; content:"pin="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5794 SPYWARE-PUT Hijacker coolwebsearch.aboutblank variant runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"adv_id="; nocase; http_uri; content:"campaign="; nocase; http_uri; content:"origin="; nocase; http_uri; content:"program_id="; nocase; http_uri; content:"subprogram_id="; nocase; http_uri; content:"site_id="; nocase; http_uri; content:"ref_url="; nocase; http_uri; content:"Host|3A| www.power-cleaner.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5795 SPYWARE-PUT Adware ist powerscan runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077266 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ping.html"; nocase; http_uri; content:"User-Agent|3A| My AppName"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5796 SPYWARE-PUT Adware keenvalue runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094138 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mySpeedbarConfig.jsp?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"MyWay"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5800 SPYWARE-PUT Trackware myway speedbar runtime detection - request config www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tr.js?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"Host|3A| c4.myway.com"; fast_pattern:only; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:successful-recon-limited; 5801 SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/images/nocache/tr/gca/m.gif?"; fast_pattern; nocase; http_uri; content:"rand="; nocase; http_uri; content:"a="; nocase; http_uri; content:"u="; nocase; http_uri; content:"r="; nocase; http_uri; content:"w="; nocase; http_uri; content:"myway.com"; nocase; http_uri; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:successful-recon-limited; 5803 SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"PG=SPEEDBAR"; fast_pattern; nocase; http_uri; pcre:"/\.(jsp)|(html)\?[^\r\n]*PG=SPEEDBAR/Ui"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:successful-recon-limited; 5805 SPYWARE-PUT Trackware myway speedbar runtime detection - switch engines www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; fast_pattern:only; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 5807 SPYWARE-PUT Hijacker shopathomeselect runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/GR_check_site.html"; nocase; http_uri; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5808 SPYWARE-PUT Hijacker shop at home search merchant redirect check misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/frameset3.asp"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5809 SPYWARE-PUT Hijacker shop at home select merchant redirect in progress misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"GRInstallCL.asp"; fast_pattern; nocase; http_uri; content:"E="; nocase; http_uri; content:"MID="; nocase; http_uri; content:"Refer="; nocase; http_uri; content:"WGR="; nocase; http_uri; content:"Prev="; nocase; http_uri; content:"sGUID="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5810 SPYWARE-PUT Hijacker shop at home select installation in progress misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:policy security-ips drop; classtype:misc-activity; 5811 SPYWARE-PUT shop at home select installation in progress - clsid detected www.nuker.com/container/details/shop_at_home_select.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A| |22|Stealth Redirector|22|"; fast_pattern:only; content:"Subject|3A| My IP address"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5812 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - email notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"CONN"; depth:10; offset:6; nocase; pcre:"/^\x2F(TC|FT)PD\s+CONN/smi"; flowbits:set,StealthRedirector_CreateRedirection; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5813 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - create redirection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,StealthRedirector_CreateRedirection; content:"Created a connection redirect"; depth:29; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5814 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - create redirection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"DISC"; depth:10; offset:6; nocase; pcre:"/^\x2F(TC|FT)PD\s+DISC/smi"; flowbits:set,StealthRedirector_DestoryRedirection; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5815 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - destory redirection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,StealthRedirector_DestoryRedirection; content:"Redirection"; nocase; content:"destroyed"; distance:0; nocase; pcre:"/^(TC|FT)P\s+Redirections?\s+destroyed\x21/smi"; metadata:policy security-ips drop; classtype:misc-activity; 5816 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - destory redirection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"/STAT"; depth:5; nocase; flowbits:set,StealthRedirector_StatusCheck3; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5817 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,StealthRedirector_StatusCheck3; content:"TCP Redirection is"; fast_pattern:only; flowbits:set,StealthRedirector_StatusCheck4; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5818 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,StealthRedirector_StatusCheck4; content:"FTP Redirection is"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5819 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - check status www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"/LOGD"; depth:5; nocase; flowbits:set,StealthRedirector_DestoryLog; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5820 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - destory log misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,StealthRedirector_DestoryLog; content:"Deleting "; depth:9; nocase; content:"ATTENTION|3A|"; distance:0; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5821 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - destory log www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"/NETS"; fast_pattern:only; flowbits:set,StealthRedirector_ViewNetstat; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5822 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - view netstat misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,StealthRedirector_ViewNetstat; content:"Proto Local IP"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5823 SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - view netstat www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Strip-Player"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5824 SPYWARE-PUT Dialer stripplayer runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453072548 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/newsurfer4/mainplocal.htm?"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"call="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"unlock="; nocase; http_uri; content:"archive="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5825 SPYWARE-PUT Adware broadcasturban tuner runtime detection - start tuner www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/newsurfer4/"; fast_pattern; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F((register\.asp)|(survey\.asp\?nUserId=))/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5826 SPYWARE-PUT Adware broadcasturban tuner runtime detection - pass user info to server www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/newsurfer4/getgateway.asp?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"call="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5827 SPYWARE-PUT Adware broadcasturban tuner runtime detection - get gateway www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/newsurfer4/"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"title="; nocase; http_uri; content:"artist="; nocase; http_uri; content:"show="; nocase; http_uri; content:"call="; nocase; http_uri; content:"archive="; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F[a-zA-Z0-9_-]*\.asp\?brand=/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 5828 SPYWARE-PUT Adware broadcasturban tuner runtime detection - connect to station www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/omnidirect.cgi"; fast_pattern; nocase; http_uri; content:"SID="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"LID="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"PARMR="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5829 SPYWARE-PUT Trickler clipgenie runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073486 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Gamespy Arcade"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 5835 SPYWARE-PUT Adware gamespy_arcade runtime detection www.spywareguide.com/product_show.php?id=1241 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/PopupV"; fast_pattern; nocase; http_uri; content:"type="; nocase; http_uri; content:"mSkip="; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5836 SPYWARE-PUT Trickler nictech.bm2 runtime detection "research.sunbelt-software.com/threat_display.cfm?name=NicTech.BM2&threatid=15195" successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/iis2ucms.asp"; nocase; content:"RequestString="; distance:0; nocase; content:"UCMXML"; distance:0; nocase; content:"User-Agent|3A| EI"; nocase; http_header; metadata:policy security-ips alert; classtype:successful-recon-limited; 5837 SPYWARE-PUT Trackware ucmore runtime detection - track activity www3.ca.com/securityadvisor/pest/pest.aspx?id=58660 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/iis2ucms_getsponsorlinks.asp"; nocase; content:"RequestString="; distance:0; nocase; content:"UCMXML"; distance:0; nocase; content:"User-Agent|3A| EI"; nocase; http_header; metadata:policy security-ips alert; classtype:successful-recon-limited; 5838 SPYWARE-PUT Trackware ucmore runtime detection - get sponsor/ad links www3.ca.com/securityadvisor/pest/pest.aspx?id=58660 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/click.asp?"; nocase; http_uri; content:"Host|3A| sponsor2.ucmore.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5839 SPYWARE-PUT Trackware ucmore runtime detection - click sponsor/ad link www3.ca.com/securityadvisor/pest/pest.aspx?id=58660 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ad/?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"SE="; nocase; http_uri; content:"SID="; nocase; http_uri; content:"Host|3A| www.searchreslt.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5840 SPYWARE-PUT Hijacker sep runtime detection process.networktechs.com/sep.dll.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/WxDataISAPI/WxDataISAPI.cgi"; fast_pattern; nocase; http_uri; content:"Magic="; nocase; http_uri; content:"RegNum="; nocase; http_uri; content:"ZipCode="; nocase; http_uri; content:"StationID="; nocase; http_uri; content:"Units="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"Fore="; nocase; http_uri; content:"t="; nocase; http_uri; content:"lv="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5841 SPYWARE-PUT Trickler minibug runtime detection - retrieve weather information www.spywareguide.com/product_show.php?id=2178 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/RealMedia/ads/adstream_sx.cgi/www.wbug.com/"; fast_pattern; nocase; http_uri; content:"A1="; nocase; http_uri; content:"A2="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5842 SPYWARE-PUT Trickler minibug runtime detection - ads www.spywareguide.com/product_show.php?id=2178 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.aspx?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"client=SSKD"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5843 SPYWARE-PUT Hijacker surfsidekick runtime detection - hijack ie auto search www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/requestimpression.aspx?"; nocase; content:"ver="; distance:0; nocase; content:"guid="; distance:0; nocase; content:"host="; distance:0; nocase; content:"Host|3A| ads.surfsidekick.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5844 SPYWARE-PUT Hijacker surfsidekick runtime detection - post request www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/rinfo.htm?"; fast_pattern; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"bundle="; nocase; http_uri; content:"client="; nocase; http_uri; content:"guid="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5845 SPYWARE-PUT Hijacker surfsidekick runtime detection - update request www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/a/Drk.syn"; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"countrycodein="; fast_pattern; nocase; http_uri; content:"lastAdTime="; nocase; http_uri; content:"lastAdCode="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"cookie3="; nocase; http_uri; content:"cookie4="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; content:"bho="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5846 SPYWARE-PUT Trickler VX2/DLmax/BestOffers/Aurora runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096297 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/home.php?"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"co="; nocase; http_uri; content:"NewUser="; nocase; http_uri; content:"info=WDC"; nocase; http_uri; metadata:policy security-ips alert, service http; classtype:misc-activity; 5847 SPYWARE-PUT Adware warez_p2p runtime detection - p2p client home www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updn.php?ver="; nocase; http_uri; content:"Host|3A| data.warezclient.com"; fast_pattern:only; metadata:policy security-ips alert, service http; classtype:misc-activity; 5849 SPYWARE-PUT Adware warez_p2p runtime detection - update request www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upd/check?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"localeId="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"windowsVersion="; nocase; http_uri; content:"rVersion="; nocase; http_uri; content:"updateValue="; nocase; http_uri; content:"User-Agent|3A| Download Agent"; fast_pattern:only; metadata:policy security-ips alert, service http; classtype:misc-activity; 5850 SPYWARE-PUT Adware warez_p2p runtime detection - check update www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"Indy Library"; nocase; http_header; content:"Host|3A| data.warezclient.com"; fast_pattern:only; metadata:policy security-ips alert, service http; classtype:misc-activity; 5851 SPYWARE-PUT Adware warez_p2p runtime detection - .txt .dat and .lst requests www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cache/data/cache.dat"; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:policy security-ips alert, service http; classtype:misc-activity; 5852 SPYWARE-PUT Adware warez_p2p runtime detection - cache.dat request www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?e="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"Host|3A| adserver.warezclient.com"; fast_pattern; nocase; http_header; metadata:policy security-ips alert, service http; classtype:misc-activity; 5853 SPYWARE-PUT Adware warez_p2p runtime detection - download ads www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cache/cache.php?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"state="; nocase; http_uri; content:"nat="; nocase; http_uri; content:"User-Agent|3A| Warez Beta Client"; fast_pattern:only; metadata:policy security-ips alert, service http; classtype:misc-activity; 5854 SPYWARE-PUT Adware warez_p2p runtime detection - pass user information www.spywareguide.com/category_show.php?id=5 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mySpeedbarCfg2.jsp?"; fast_pattern; nocase; http_uri; content:"s="; nocase; http_uri; content:"p=ZB"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5855 SPYWARE-PUT Hijacker funbuddyicons runtime detection - request config www.pchell.com/support/funbuddyicons.shtml misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mysaconfg.jsp?"; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"MyWebSearchSearchAssistant"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 5857 SPYWARE-PUT Hijacker funbuddyicons runtime detection - mysaconfg request www.pchell.com/support/funbuddyicons.shtml misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:"Host|3A| www.praize.com"; fast_pattern:only; pcre:"/\x2Ftoolbar\x2F((version\x2Etxt)|(notifytoolbar\x2Ehtml))/smi"; metadata:policy security-ips alert; classtype:misc-activity; 5858 SPYWARE-PUT Adware praizetoolbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453079048 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/advers/zl/version.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| daosearch.com"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5859 SPYWARE-PUT Hijacker daosearch runtime detection - information request securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"o.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| daosearch.com"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 5860 SPYWARE-PUT Hijacker daosearch runtime detection - search hijack securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xml.php"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:policy security-ips drop; classtype:misc-activity; 5861 SPYWARE-PUT Hijacker isearch runtime detection - toolbar information request www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dns.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"Host|3A| auto.isearch.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5862 SPYWARE-PUT Hijacker isearch runtime detection - search hijack 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/phrase.php?"; fast_pattern; nocase; http_uri; content:"text="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref=%user_id"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5863 SPYWARE-PUT Hijacker isearch runtime detection - search hijack 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"qry_str="; fast_pattern; nocase; http_uri; content:"src=tbi"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:policy security-ips drop; classtype:misc-activity; 5864 SPYWARE-PUT Hijacker isearch runtime detection - search in toolbar www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cbb/frame.asp?"; nocase; http_uri; content:"cbb="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A| www.zapspot.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5865 SPYWARE-PUT Adware zapspot runtime detection - pop up ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453075441 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/CBXml.asp?"; nocase; http_uri; content:"tc="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5866 SPYWARE-PUT Hijacker couponbar runtime detection - download new coupon offers and links www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/CouponBar/CBXmlFiles/"; fast_pattern; nocase; http_uri; content:".bmp"; nocase; http_uri; content:"User-Agent|3A| Toolbar"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 5867 SPYWARE-PUT Hijacker couponbar runtime detection - get updates to toolbar buttons www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/CBTerms.asp"; nocase; http_uri; content:"Host|3A| couponbar.coupons.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5868 SPYWARE-PUT Hijacker couponbar runtime detection - view coupon offers www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bi/servlet/Thinstall"; fast_pattern:only; content:"User-Agent|3A|"; nocase; http_header; content:".exe"; nocase; http_header; pcre:"/\x2Fbi\x2Fservlet\x2FThinstall(Pre|Result).*^User-Agent\x3A[^\r\n]*\.exe[^\r\n]*\x7B[\dA-Za-z]{8}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{12}\x7D\x7C[\dA-Za-z]{8}\x7C\d{5}-\d{3}-\d{7}-\d{5}/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 5871 SPYWARE-PUT Trickler VX2/ABetterInternet transponder thinstaller runtime detection - post information www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/lm/rtl3i.asp"; nocase; http_uri; content:"si="; nocase; http_uri; content:"k="; nocase; http_uri; content:"Host|3A| www.serverlogic3.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5872 SPYWARE-PUT Snoopware hyperlinker runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090785 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A| mPOP Web-Mail"; fast_pattern:only; flowbits:set,PCAcmePro; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 5873 SPYWARE-PUT Snoopware pc acme pro runtime detection www.spywareguide.com/product_show.php?id=2271 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,PCAcmePro; content:"Attached file is PC Acme report"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5874 SPYWARE-PUT Snoopware pc acme pro runtime detection www.spywareguide.com/product_show.php?id=2271 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 871 flow:to_server,established; content:"Detonate"; depth:8; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5875 SPYWARE-PUT Hacker-Tool eraser runtime detection - detonate www3.ca.com/securityadvisor/pest/pest.aspx?id=453072642 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 871 flow:to_server,established; content:"Disinfect"; depth:9; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5876 SPYWARE-PUT Hacker-Tool eraser runtime detection - disinfect www3.ca.com/securityadvisor/pest/pest.aspx?id=453072642 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"This is an alert notification from SpyAgent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5882 SPYWARE-PUT Keylogger spyagent runtime detect - alert notification www.spywareguide.com/product_show.php?id=22 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"op="; nocase; http_uri; content:"vic="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; fast_pattern; nocase; http_uri; content:"pass="; nocase; http_uri; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5883 SPYWARE-PUT Other-Technologies saria 1.0 runtime detection - send user information www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/software/meta/Update/VersionCheckInfo.ini?c="; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5884 SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - check toolbar & category info www.copernic.com/en/products/meta/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/copern.light/redirs_all.htm?"; fast_pattern; nocase; http_uri; content:"pgtarg="; nocase; http_uri; content:"qcat="; nocase; http_uri; content:"qkw="; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5885 SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack www.copernic.com/en/products/meta/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"metaresults.copernic.com"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5886 SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - pass info to server www.copernic.com/en/products/meta/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/9899/search/results.php?"; fast_pattern; nocase; http_uri; content:"source="; nocase; http_uri; content:"pa="; nocase; http_uri; content:"keywords="; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5887 SPYWARE-PUT Hijacker shopnav runtime detection - ie search assistant hijack www.spywareguide.com/product_show.php?id=582 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchcat.jsp?p="; fast_pattern; nocase; http_uri; content:"appid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; 5888 SPYWARE-PUT Hijacker shopnav runtime detection - ie auto search hijack www.spywareguide.com/product_show.php?id=582 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dat/bgf/trpix.gif?"; nocase; http_uri; content:"rdm="; nocase; http_uri; content:"dlv="; nocase; http_uri; content:"dmn="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"search2.ad.shopnav.com/9899/search/results.php"; nocase; http_header; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 5889 SPYWARE-PUT Hijacker shopnav runtime detection - collect information www.spywareguide.com/product_show.php?id=582 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/9899/srng/reg.php?"; fast_pattern; nocase; http_uri; content:"IpAddr="; nocase; http_uri; content:"OS="; nocase; http_uri; content:"RegistryChanged="; nocase; http_uri; content:"RegistryUpdate="; nocase; http_uri; content:"Basedir="; nocase; http_uri; content:"SrngInstalled="; nocase; http_uri; content:"SrngVer="; nocase; http_uri; content:"PCID="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5890 SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 1 www.spywareguide.com/product_show.php?id=582 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/9899/srng/jrnl.php"; nocase; content:"PCID="; distance:0; nocase; content:"OS="; distance:0; nocase; content:"Category="; distance:0; nocase; content:"Field="; distance:0; nocase; content:"Description="; distance:0; nocase; metadata:policy security-ips alert; classtype:misc-activity; 5891 SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 2 www.spywareguide.com/product_show.php?id=582 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:to_server,established; content:"|5C 00|T|00|B|00|2|00|"; metadata:policy security-ips drop; classtype:misc-activity; 5894 SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - smb www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 407 flow:to_server,established; content:"|00 01|"; depth:2; content:"|00|R|00|%"; offset:4; flowbits:set,Timbuktu_Pro_TCPPort_407; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5895 SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - tcp port 407 misc-activity tcp $HOME_NET 407 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Timbuktu_Pro_TCPPort_407; content:"|01 01|"; depth:2; content:"|00 8E 00|%"; offset:4; metadata:policy security-ips alert; classtype:misc-activity; 5896 SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - tcp port 407 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680 misc-activity udp $EXTERNAL_NET any -> $HOME_NET 407 flow:to_server; content:"|00|%|00 22|"; depth:4; metadata:policy security-ips alert; classtype:misc-activity; 5897 SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076680 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/acts/tracking/track.asp"; nocase; content:"Data="; distance:0; nocase; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; nocase; http_header; content:"Host|3A| trackcl.adtoolsinc.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 5898 SPYWARE-PUT Trackware adtools runtime detection - track user activity www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/roche.asp?"; nocase; http_uri; content:"zip="; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; nocase; http_header; content:"Host|3A| www.flustar.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 5899 SPYWARE-PUT Trackware adtools-screenmate runtime detection - generate desktop alert www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"yourname="; nocase; content:"youremail="; distance:0; nocase; content:"recipname="; distance:0; fast_pattern; nocase; content:"recipemail="; distance:0; nocase; content:"AD="; distance:0; nocase; content:"User-Agent|3A| Async HTTP Agent"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5900 SPYWARE-PUT Trackware adtools-communicator runtime detection - collect information www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/clientcontent/StewieGriffin/selfupdate.asp?"; fast_pattern; nocase; http_uri; content:"i="; nocase; http_uri; content:"v="; nocase; http_uri; content:"FI="; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5901 SPYWARE-PUT Trackware adtools-communicator runtime detection - download self-update www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/ads9.dll?"; fast_pattern; nocase; http_uri; content:"HTML="; nocase; http_uri; content:"DAUI="; nocase; http_uri; content:"INC="; nocase; http_uri; content:"DL="; nocase; http_uri; content:"CX="; nocase; http_uri; content:"CY="; nocase; http_uri; content:"IIA="; nocase; http_uri; content:"IIG="; nocase; http_uri; content:"IIP="; nocase; http_uri; content:"III="; nocase; http_uri; content:"V="; nocase; http_uri; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 5903 SPYWARE-PUT Adware download accelerator plus runtime detection - get ads reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/MirrorSearch.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| DA"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5904 SPYWARE-PUT Adware download accelerator plus runtime detection - download files reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/GamesTab_realarcade.asp"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5905 SPYWARE-PUT Adware download accelerator plus runtime detection - games center request reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/update.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| dapupd"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5906 SPYWARE-PUT Adware download accelerator plus runtime detection - update reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/go/check?"; nocase; http_uri; content:"build="; nocase; http_uri; content:"source="; nocase; http_uri; content:"Host|3A| e2give.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5907 SPYWARE-PUT Trackware e2give runtime detection - check update www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/fs-bin/click?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5908 SPYWARE-PUT Trackware e2give runtime detection - redirect affiliate site request 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/fs-bin/swat?"; nocase; http_uri; content:"lsnsig="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 5909 SPYWARE-PUT Trackware e2give runtime detection - redirect affiliate site request 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049 successful-recon-limited tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"Set-Cookie|3A| "; nocase; content:"Domain=casalemedia.com"; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5910 SPYWARE-PUT Trackware casalemedia runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453082755 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/adserv/GetAd.pl"; fast_pattern; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"rfs="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"uri="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"mdm="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5911 SPYWARE-PUT Adware smartpops runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074758 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| My Agent"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5913 SPYWARE-PUT Trickler smasoft webdownloader runtime detection www.megasecurity.org/trojans/w/webdownloader/Webdownloader1.2.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download/toolbar/locatorstoolbar"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5914 SPYWARE-PUT Hijacker locatorstoolbar runtime detection - configuration download www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download/toolbar/dnserror.php?"; fast_pattern; nocase; http_uri; content:"type=dns"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5915 SPYWARE-PUT Hijacker locatorstoolbar runtime detection - autosearch hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"sidebar=method"; fast_pattern; nocase; http_uri; content:"que="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5916 SPYWARE-PUT Hijacker locatorstoolbar runtime detection - sidebar search www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dir/"; nocase; http_uri; content:"Host|3A| www.locators.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5917 SPYWARE-PUT Hijacker locatorstoolbar runtime detection - toolbar search www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ping"; nocase; content:"Host|3A| 195.225."; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5918 SPYWARE-PUT Hijacker painter runtime detection - ping 'alive' signal www.spywareguide.com/product_show.php?id=2730 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.klikvipsearch.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5919 SPYWARE-PUT Hijacker painter runtime detection - redirect to klikvipsearch www.spywareguide.com/product_show.php?id=2730 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mtc/yahoo/search.php?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| online-casino-searcher.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5920 SPYWARE-PUT Hijacker painter runtime detection - redirect yahoo search through online-casino-searcher www.spywareguide.com/product_show.php?id=2730 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/downloads/toolbar/related.asp"; fast_pattern; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5921 SPYWARE-PUT Trackware fftoolbar toolbar runtime detection - send user url request www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/downloads/toolbar/ticker.xml"; fast_pattern; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5922 SPYWARE-PUT Trackware fftoolbar toolbar runtime detection - display advertisement news www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sidebar.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A| sidebar.activeshopper.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5923 SPYWARE-PUT Adware active shopper runtime detection - side search request www.spywareguide.com/product_show.php?id=2410 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/active/redir_sidecheck.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| data2.activshopper.com"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5924 SPYWARE-PUT Adware active shopper runtime detection - redirect www.spywareguide.com/product_show.php?id=2410 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/check.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| sidebar.activeshopper.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5925 SPYWARE-PUT Adware active shopper runtime detection - check www.spywareguide.com/product_show.php?id=2410 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/HG?"; nocase; http_uri; content:"hc="; nocase; http_uri; content:"vcon=ActiveShopper"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5926 SPYWARE-PUT Adware active shopper runtime detection - collect information www.spywareguide.com/product_show.php?id=2410 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cbn/"; nocase; http_uri; content:".smx?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| ads.cashsurfers.com"; fast_pattern:only; pcre:"/\x2Fcbn\x2F(c|b)\.smx\?[^\r\n]*u=/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 5927 SPYWARE-PUT Adware cashbar runtime detection - .smx requests www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ads.aspx?"; nocase; http_uri; content:"Host|3A| ads.grokads.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5928 SPYWARE-PUT Adware cashbar runtime detection - ads request www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"si="; nocase; http_uri; content:"Host|3A| www.metareward.com"; fast_pattern:only; pcre:"/\x2F(f|s)\?[^\r\n]*si=/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 5929 SPYWARE-PUT Adware cashbar runtime detection - pop-up ad 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 5930 SPYWARE-PUT Adware cashbar runtime detection - pop-up ad 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/connect.cgi?"; nocase; http_uri; content:"usr="; nocase; http_uri; content:"url="; nocase; http_uri; content:"title=CashSurfers"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 5932 SPYWARE-PUT Adware cashbar runtime detection - stats track www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"source="; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| search.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5933 SPYWARE-PUT Hijacker dropspam runtime detection - search request 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"tbid="; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| search.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5934 SPYWARE-PUT Hijacker dropspam runtime detection - search request 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.cgi"; nocase; content:"source=lifestyle"; nocase; content:"query="; distance:0; nocase; content:"select="; distance:0; nocase; content:"Host|3A| desksearch.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5935 SPYWARE-PUT Hijacker dropspam runtime detection - search request 3 www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sidesearch.htm"; nocase; http_uri; content:"Host|3A| sidesearch.dropspam.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5936 SPYWARE-PUT Hijacker dropspam runtime detection - side search www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"apid="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"cdurl="; nocase; http_uri; content:"srurl="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5937 SPYWARE-PUT Hijacker dropspam runtime detection - pass information to its controlling server www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"mysearch.dropspam.com/index.php?tpid="; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 5938 SPYWARE-PUT Hijacker dropspam runtime detection - third party information collection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/desktop/"; nocase; http_uri; content:"/toolbar/supremetb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/Ui"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:successful-recon-limited; 5939 SPYWARE-PUT Trackware supreme toolbar runtime detection - get cfg www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.php?tpid="; nocase; http_uri; content:"tspid="; nocase; http_uri; content:"prid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"Host|3A| supremetoolbar.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 5940 SPYWARE-PUT Trackware supreme toolbar runtime detection - search request www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ctx/imptrack.php?"; nocase; http_uri; content:"build="; nocase; http_uri; content:"action="; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5941 SPYWARE-PUT Trackware supreme toolbar runtime detection - track www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"apid="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"cdurl="; nocase; http_uri; content:"srurl="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:policy security-ips alert; classtype:successful-recon-limited; 5942 SPYWARE-PUT Trackware supreme toolbar runtime detection - pass information to its controlling server www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"supremetoolbar.com/index.php?tpid="; nocase; http_header; metadata:policy security-ips alert; classtype:successful-recon-limited; 5943 SPYWARE-PUT Trackware supreme toolbar runtime detection - third party information collection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097437 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| FreeAccessBar"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5944 SPYWARE-PUT Adware free access bar runtime detection 1 www.spywareguide.com/product_show.php?id=2493 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/request/req.cgi?"; fast_pattern; nocase; http_uri; content:"gu=TN-internal"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"sp="; nocase; http_uri; content:"v="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"AID="; nocase; http_uri; content:"FT="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5946 SPYWARE-PUT Adware weirdontheweb runtime detection - monitor user web activity www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi/logurl.cgi"; nocase; content:"form-data|3B| name=|22|pid|22|"; fast_pattern:only; content:"internal"; nocase; content:"User-Agent|3A| MyPost"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 5947 SPYWARE-PUT Adware weirdontheweb runtime detection - log url www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/notifier/"; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"metadata="; nocase; http_uri; content:"Host|3A| www.weirdontheweb.net"; fast_pattern:only; pcre:"/\x2Fnotifier\x2F(configINTERNAL\.ini)|(update\.cgi)\?/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 5948 SPYWARE-PUT Adware weirdontheweb runtime detection - update notifier www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Browser/CT48638/1_Simpleticker.htm"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 5949 SPYWARE-PUT Trackware iggsey toolbar detection - simpleticker.htm request www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/iis2ebs.asp"; nocase; content:"User-Agent|3A| EI"; nocase; http_header; content:"RequestString="; nocase; content:"GENERAL_PARAM1"; distance:0; nocase; content:"GENERAL_PARAM2"; distance:0; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5950 SPYWARE-PUT Trackware iggsey toolbar detection - pass information to server www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A| www.iggsey.com"; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5951 SPYWARE-PUT Trackware iggsey toolbar detection - search request www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/english.asp?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.123mania.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5952 SPYWARE-PUT Hijacker 123mania runtime detection - autosearch hijacking www.spywareguide.com/product_show.php?id=940 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ie?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"hl="; nocase; http_uri; content:"lr="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"btnG="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"www.123mania.com/0409/ie.asp"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 5953 SPYWARE-PUT Hijacker 123mania runtime detection - sidesearch hijacking www.spywareguide.com/product_show.php?id=940 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Browser Pal"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 5954 SPYWARE-PUT Trackware browserpal runtime detection - post user info to server www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/perl/adblocker.pl"; nocase; http_uri; content:"User-Agent|3A| Popup Stopper |28|BDLL|29| Agent"; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5955 SPYWARE-PUT Trackware browserpal runtime detection - adblocker function www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=GhostVoiceServer"; nocase; content:"fromemail="; distance:0; nocase; content:"subject=GhostVoice"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"body="; distance:0; nocase; content:"to="; distance:0; nocase; content:"Send="; distance:0; nocase; metadata:policy security-ips drop; classtype:misc-activity; 5956 SPYWARE-PUT Hacker-Tool ghostvoice 1.02 icq notification of server installation www3.ca.com/securityadvisor/pest/pest.aspx?id=453073224 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"!Request!"; depth:9; flowbits:set,GhostVoice_InitConnection_withpassword; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 5957 SPYWARE-PUT Hacker-Tool ghostvoice 1.02 runtime detection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.m?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"q="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; content:"Host|3A| www.raxsearch.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5960 SPYWARE-PUT Hijacker raxsearch detection - pop-up raxsearch window www.spywareguide.com/product_show.php?id=2485 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchfast/ticker.xml"; nocase; http_uri; content:"Host|3A| www.thecommunicator.net"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5961 SPYWARE-PUT Hijacker searchfast detection - news ticker www.spywareguide.com/product_show.php?id=1694 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/fstdirectory/searchResults.php?searchTerm="; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5963 SPYWARE-PUT Hijacker searchfast detection - search request www.spywareguide.com/product_show.php?id=1694 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat=nsa"; nocase; http_uri; content:"ver=visicom"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| xml.alexa.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5964 SPYWARE-PUT Hijacker searchfast detection - track user activity & get 'relates links' of the toolbar www.spywareguide.com/product_show.php?id=1694 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchfast/"; nocase; http_uri; content:"/communicatortb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 5965 SPYWARE-PUT Hijacker searchfast detection - get toolbar cfg www.spywareguide.com/product_show.php?id=1694 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"said=bar"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.searchinweb.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 5966 SPYWARE-PUT trackware searchinweb detection - search request www.spywareguide.com/product_show.php?id=1787 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/click.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5967 SPYWARE-PUT trackware searchinweb detection - click result links www.spywareguide.com/product_show.php?id=1787 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/go.php?c="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5968 SPYWARE-PUT trackware searchinweb detection - redirect www.spywareguide.com/product_show.php?id=1787 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r?X="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; content:"Host|3A| c.goclick.com"; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 5969 SPYWARE-PUT trackware searchinweb detection - collect information www.spywareguide.com/product_show.php?id=1787 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r/keys/keys"; nocase; http_uri; content:"User-Agent|3A| Feat2 Updater"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5970 SPYWARE-PUT hijacker smart finder detection - keys update www.spywareguide.com/product_show.php?id=2165 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cnt/hp?"; nocase; http_uri; content:"Host|3A| www.trackhits.cc"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5971 SPYWARE-PUT hijacker smart finder detection - track hits www.spywareguide.com/product_show.php?id=2165 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sh.php?"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"v0="; nocase; http_uri; content:"HelpAgent|3A|"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5972 SPYWARE-PUT hijacker smart finder detection - ie autosearch hijack 1 www.spywareguide.com/product_show.php?id=2165 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gc/xsearch.php?"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"v0="; nocase; http_uri; content:"Host|3A| presentsearch.net"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5973 SPYWARE-PUT hijacker smart finder detection - search engines hijack www.spywareguide.com/product_show.php?id=2165 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ad/cc.php?"; nocase; http_uri; content:"pin="; nocase; http_uri; content:"qq="; nocase; http_uri; content:"v0="; nocase; http_uri; content:"Host|3A| www.platinumfinder.net"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5974 SPYWARE-PUT hijacker smart finder detection - pop-up ads www.spywareguide.com/product_show.php?id=2165 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.php?tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"st="; nocase; http_uri; content:"Host|3A| ws1.appswebservice.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5975 SPYWARE-PUT hijacker topfive searchassistant detection - search request www.spywareguide.com/product_show.php?id=2645 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"ldid="; nocase; http_uri; content:"fpid="; nocase; http_uri; content:"fdid="; nocase; http_uri; content:"prid="; nocase; http_uri; content:"tpid="; nocase; http_uri; content:"ttid="; nocase; http_uri; content:"tspid="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"x="; nocase; http_uri; content:"y="; nocase; http_uri; content:"Referer|3A| ws1.appswebservice.com/index.php?tpid="; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5976 SPYWARE-PUT hijacker topfive searchassistant detection - side search www.spywareguide.com/product_show.php?id=2645 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/downloads/rs.asp?"; nocase; content:"u="; distance:0; nocase; content:"p="; distance:0; nocase; content:"b="; distance:0; nocase; content:"c="; distance:0; nocase; content:"v="; distance:0; nocase; content:"o="; distance:0; nocase; content:"s="; distance:0; nocase; content:"User-Agent|3A| TM_SEARCH3"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5977 SPYWARE-PUT hijacker topfive searchassistant detection - post user information to server www.spywareguide.com/product_show.php?id=2645 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/downloads/record_download.asp?"; nocase; content:"c="; distance:0; nocase; content:"psid="; distance:0; nocase; content:"uuuid="; distance:0; nocase; content:"ver="; distance:0; nocase; content:"d="; distance:0; nocase; content:"User-Agent|3A| TM_SEARCH3"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 5978 SPYWARE-PUT hijacker topfive searchassistant detection - update www.spywareguide.com/product_show.php?id=2645 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/nieuws.dtd"; nocase; http_uri; content:"Host|3A| toolbar.anwb.nl"; fast_pattern:only; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5979 SPYWARE-PUT Trackware anwb toolbar runtime detection - track user ip address www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/weer.xml"; nocase; http_uri; content:"Host|3A| toolbar.anwb.nl"; fast_pattern:only; content:"Cookie"; nocase; content:"anwbtrack="; distance:0; nocase; content:"ANWBWebService="; distance:0; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 5980 SPYWARE-PUT Trackware anwb toolbar runtime detection - display advertisement www3.ca.com/securityadvisor/pest/pest.aspx?id=453078342 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/results.jsp"; nocase; http_uri; content:"portal_id="; nocase; http_uri; content:"domain=seeq.com"; fast_pattern; nocase; http_uri; content:"tag=toolbar"; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5981 SPYWARE-PUT Hijacker seeqtoolbar runtime detection - autosearch hijack or search in toolbar www.spywareguide.com/product_show.php?id=1026 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/lander.jsp"; nocase; http_uri; content:"referrer="; nocase; http_uri; content:"domain=seeqmail.com"; fast_pattern; nocase; http_uri; content:"cm_mmc="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5982 SPYWARE-PUT Hijacker seeqtoolbar runtime detection - email login page www.spywareguide.com/product_show.php?id=1026 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Subscriptions/NewsFeed.asp?"; fast_pattern; nocase; http_uri; content:"selection="; nocase; http_uri; content:"distribution="; nocase; http_uri; content:"User-Agent|3A| POWRSTRP"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 5983 SPYWARE-PUT Adware powerstrip runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074932 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stats/stats.cgi"; fast_pattern; nocase; http_uri; content:"userFile="; nocase; content:"Host|3A| "; nocase; content:"push.com"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 5984 SPYWARE-PUT Trackware push toolbar installtime detection - user information collect www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchv2tb0200.php"; fast_pattern; nocase; http_uri; content:"barid="; nocase; http_uri; metadata:policy security-ips drop; classtype:successful-recon-limited; 5985 SPYWARE-PUT Trackware push toolbar runtime detection - toolbar information request www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"TeomaBar"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 5986 SPYWARE-PUT Trickler teomasearchbar runtime detection www.castlecops.com/tk731-Teoma_Bar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates/check_img.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"i="; nocase; http_uri; content:"now="; nocase; http_uri; content:"Host|3A| toolbar.wishbone.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5987 SPYWARE-PUT Hijacker wishbone runtime detection www.spywareguide.com/product_show.php?id=1784 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| ZC-Bridge"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 5988 SPYWARE-PUT Trackware windupdates-mediagateway runtime detection - post data www3.ca.com/securityadvisor/pest/pest.aspx?id=453094794 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/v2.asmx"; nocase; content:"SOAPAction|3A| |22|http|3A|//ws.broadcastpc.tv/GetConfig|22|"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5989 SPYWARE-PUT Adware broadcastpc runtime detection - get config www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/client/"; nocase; http_uri; content:".aspx"; nocase; http_uri; content:"Host|3A| www.broadcastpc.tv"; fast_pattern:only; pcre:"/\x2Fclient\x2F(view|tvlistings|tvshowtickets|movietickets)\x2Easpx/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 5990 SPYWARE-PUT Adware broadcastpc runtime detection - get up-to-date movie/tv/ad information www3.ca.com/securityadvisor/pest/pest.aspx?id=453074364 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"KEYWORD="; nocase; http_uri; content:"T="; nocase; http_uri; content:"ERROR="; nocase; http_uri; content:"Host|3A| websearch.getmirar.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 5991 SPYWARE-PUT Hijacker getmirar runtime detection - search request www3.ca.com/securityadvisor/pest/pest.aspx?id=453077933 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/v70click.cgi?"; fast_pattern; nocase; http_uri; content:"u="; nocase; http_uri; content:"adurl="; nocase; http_uri; content:"adtitle="; nocase; http_uri; content:"adbody="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 5993 SPYWARE-PUT Hijacker getmirar runtime detection - track activity www3.ca.com/securityadvisor/pest/pest.aspx?id=453077933 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/thumbnail.cgi?"; nocase; http_uri; content:"DURL="; nocase; http_uri; content:"TAG="; nocase; http_uri; content:"Host|3A| awbeta.net-nucleus.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5994 SPYWARE-PUT Hijacker getmirar runtime detection - click related button www3.ca.com/securityadvisor/pest/pest.aspx?id=453077933 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/103/co.aspx?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"cfv="; nocase; http_uri; content:"sfv="; nocase; http_uri; content:"ciso="; nocase; http_uri; content:"Host|3A| dist.atlas-ia.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5995 SPYWARE-PUT Adware offeragent runtime detection - information checking www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/103/getad.aspx?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ciso="; nocase; http_uri; content:"pcpi="; nocase; http_uri; content:"Host|3A| dist.atlas-ia.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 5996 SPYWARE-PUT Adware offeragent runtime detection - ads request www3.ca.com/securityadvisor/pest/pest.aspx?id=453096710 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"testforconnection|0D 0A|"; depth:19; nocase; flowbits:set,CoolCat.1; flowbits:noalert; classtype:trojan-activity; 6012 BACKDOOR coolcat runtime connection detection - tcp 1 www.spywareguide.com/product_show.php?id=555 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; flowbits:isset,CoolCat.1; content:"password |22|"; depth:10; nocase; flowbits:set,CoolCat.2; flowbits:noalert; classtype:trojan-activity; 6013 BACKDOOR coolcat runtime connection detection - tcp 2 www.spywareguide.com/product_show.php?id=555 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 800: flow:to_server,established; content:"verifypass|3B|"; depth:11; nocase; flowbits:set,DSK_Lite_1.0_TCP; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6015 BACKDOOR dsk lite 1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866 trojan-activity tcp $HOME_NET 800: -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"connect|3B|"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6016 BACKDOOR dsk lite 1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/whitepages/page_me.php?"; nocase; http_uri; content:"from=DSK"; nocase; http_uri; content:"fromemail=Dsk"; nocase; http_uri; content:"subject=Vics"; nocase; http_uri; content:"body=DSK"; nocase; http_uri; content:"to="; nocase; http_uri; content:"Send="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6018 BACKDOOR dsk lite 1.0 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866 trojan-activity tcp $EXTERNAL_NET 4225 -> $HOME_NET any flow:from_server,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6021 BACKDOOR silent spy 2.10 command response port 4225 www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048 trojan-activity tcp $EXTERNAL_NET 4226 -> $HOME_NET any flow:from_server,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6022 BACKDOOR silent spy 2.10 command response port 4226 www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/argh/notify.php?emailaddr="; nocase; http_uri; content:"msg=SERVER"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SiLENT"; nocase; http_header; content:"SPY"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*SiLENT\s+SPY/smiH"; metadata:policy security-ips drop; classtype:trojan-activity; 6023 BACKDOOR silent spy 2.10 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|C2 C5 CD C4 FD F9 FF 86 E4 9A F8 FF E5 9B 98 E5 FC E1 FD A9 FC C2 C5 99 C0 A9|"; depth:26; metadata:policy security-ips drop; classtype:trojan-activity; 6024 BACKDOOR nuclear rat v6_21 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077717 trojan-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; content:"DIMBUS"; nocase; content:"Server"; distance:0; nocase; pcre:"/\s{23}DIMBUS\s+Server\s+v\d+\x2E\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6026 BACKDOOR dimbus 1.0 runtime detection - get pc info www3.ca.com/securityadvisor/pest/pest.aspx?id=453060480 trojan-activity udp $HOME_NET 18001 -> $EXTERNAL_NET 18000 content:"H02EXE"; nocase; content:"File"; distance:0; nocase; content:"Name|3A|"; distance:0; nocase; content:"CYBERPAKY"; distance:0; nocase; content:"Operating"; distance:0; nocase; content:"System"; distance:0; nocase; pcre:"/H02EXE\s+File\s+Name\x3A\s+CYBERPAKY\x0D\x0AOperating\s+System/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6028 BACKDOOR cyberpaky runtime detection www.megasecurity.org/trojans/c/cyberpaky/Cyberpaky1.8.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"folder_id="; nocase; http_uri; content:"params_count="; nocase; http_uri; content:"nick_name="; nocase; http_uri; content:"user_email=fkwp@yahoo.com"; nocase; http_uri; content:"user_uin="; nocase; content:"friend_nickname="; nocase; content:"friend_contact="; nocase; content:"x="; nocase; content:"y="; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6029 BACKDOOR fkwp 2.0 runtime detection - icq notification www.spywareguide.com/spydet_3088_eltc_editorfkwp.html trojan-activity tcp $HOME_NET 1024: -> $EXTERNAL_NET any flow:from_server,established; content:"login_ok"; nocase; content:"MiniCommand"; distance:0; nocase; content:"version"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"for"; distance:0; nocase; content:"action"; distance:0; nocase; pcre:"/^login_ok\x5EMiniCommand\s+version\s+\d+\.\d+\.\d+\s+ready\s+for\s+action\x2E/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6035 BACKDOOR minicommand runtime detection - initial connection server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"NetBus"; distance:0; nocase; content:"server"; distance:0; nocase; content:"is"; distance:0; nocase; content:"up"; distance:0; nocase; content:"and"; distance:0; nocase; content:"running"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*NetBus\s+server\s+is\s+up\s+and\s+running/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6037 BACKDOOR netbus 1.7 runtime detection - email notification www.2-spyware.com/file-backdoor-netbus-12-exe.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"win="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"ServerType=Fade"; nocase; http_uri; content:"id="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6039 BACKDOOR fade 1.0 runtime detection - notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; content:"877110"; depth:6; flowbits:set,Fade_kl; flowbits:noalert; classtype:trojan-activity; 6040 BACKDOOR fade 1.0 runtime detection - enable keylogger www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"QTAze1l9"; depth:8; nocase; flowbits:set,fear_0_2.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6044 BACKDOOR fear 0.2 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,fear_0_2.conn.1; content:"QTAz"; depth:4; nocase; flowbits:set,fear_0_2.conn.2; flowbits:unset,fear_0_2.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6045 BACKDOOR fear 0.2 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,fear_0_2.conn.2; content:"QTAxe1h9e1l9"; nocase; flowbits:unset,fear_0_2.conn.2; metadata:policy security-ips drop; classtype:trojan-activity; 6046 BACKDOOR fear 0.2 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 8799 flow:to_server,established; content:"|AD 86 01 00 08 00 00 00|"; content:"1^Merlin"; distance:0; nocase; pcre:"/^\xad\x86\x01\x00\x08\x00\x00\x001\x5EMerlin/smi"; flowbits:set,FunFactory_conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6047 BACKDOOR fun factory runtime detection - connect www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $HOME_NET 8799 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,FunFactory_conn; content:"100013Agentsvr^^Merlin"; nocase; pcre:"/^100013Agentsvr\x5E\x5EMerlin/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6048 BACKDOOR fun factory runtime detection - connect www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 8799 flow:to_server,established; content:"|AB 86 01 00 12 00 00 00|"; flowbits:set,FunFactory_upload; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6049 BACKDOOR fun factory runtime detection - upload www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $HOME_NET 8799 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,FunFactory_upload; content:"100011"; metadata:policy security-ips drop; classtype:trojan-activity; 6050 BACKDOOR fun factory runtime detection - upload www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 8799 flow:to_server,established; content:"|B0 86 01 00 01 00 00 00|0"; flowbits:set,FunFactory_volume; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6051 BACKDOOR fun factory runtime detection - set volume www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $HOME_NET 8799 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,FunFactory_volume; content:"100016"; metadata:policy security-ips drop; classtype:trojan-activity; 6052 BACKDOOR fun factory runtime detection - set volume www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 8799 flow:to_server,established; content:"|AE 86 01 00|"; flowbits:set,FunFactory_doscript; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6053 BACKDOOR fun factory runtime detection - do script remotely www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $HOME_NET 8799 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,FunFactory_doscript; content:"100014"; metadata:policy security-ips drop; classtype:trojan-activity; 6054 BACKDOOR fun factory runtime detection - do script remotely www.spywareguide.com/product_show.php?id=1649 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|00 00 00 91|I|16 1B|e|1C|"; flowbits:set,bifrose.rev_conn.1; flowbits:noalert; classtype:trojan-activity; 6055 BACKDOOR bifrose 1.1 runtime detection www.spywareguide.com/product_show.php?id=1464 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,bifrose.rev_conn.1; content:"|02 00 00 00|4x"; flowbits:set,bifrose.rev_conn.2; flowbits:unset,bifrose.rev_conn.1; flowbits:noalert; classtype:trojan-activity; 6056 BACKDOOR bifrose 1.1 runtime detection www.spywareguide.com/product_show.php?id=1464 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"Uin="; nocase; http_uri; content:"Name=The Hosts port is"; nocase; http_uri; content:"Name=Your Host is"; nocase; http_uri; content:"Send=yes"; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6058 BACKDOOR neurotickat1.3 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=31859 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 831 flow:to_server,established; content:"VER "; depth:4; nocase; flowbits:set,neurotickat.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6060 BACKDOOR neurotickat1.3 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=31859 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 831 flow:to_server,established; flowbits:isset,neurotickat.1; content:"FTPON"; nocase; content:"TIME"; distance:0; nocase; pcre:"/FTPON\d+\s+TIME\d+\s+/smi"; flowbits:set,neurotickat.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6061 BACKDOOR neurotickat1.3 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=31859 trojan-activity tcp $HOME_NET 831 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,neurotickat.2; content:"One"; nocase; content:"more"; distance:0; nocase; content:"step"; distance:0; nocase; content:"until"; distance:0; nocase; content:"connection."; distance:0; nocase; pcre:"/One\s+more\s+step\s+until\s+connection\x2E/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6062 BACKDOOR neurotickat1.3 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=31859 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 21212 flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,schwindler; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6063 BACKDOOR schwindler 1.82 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=5287 trojan-activity tcp $HOME_NET 21212 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,schwindler; content:"Schwindler"; depth:10; nocase; content:"Servidor"; distance:0; nocase; content:"Porta"; distance:0; nocase; pcre:"/Schwindler\s+Servidor\x2E\s+Porta\s+\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6064 BACKDOOR schwindler 1.82 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=5287 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"password|3B|1|3B|Optix Lite Server Ready"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6066 BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"from=Optix Lite"; nocase; http_uri; content:"fromemail="; nocase; http_uri; content:"subject=From Optix Lite"; nocase; http_uri; content:"body="; nocase; http_uri; content:"to="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6069 BACKDOOR optixlite 1.0 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 6667 flow:to_server,established; content:"NICK"; nocase; content:"FrEaK_ViCTiM"; distance:0; nocase; pcre:"/^NICK\s+FrEaK_ViCTiM\x0D\x0A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6070 BACKDOOR freak 1.0 runtime detection - irc notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=FrEaK_ViCTiM"; nocase; content:"fromemail=FrEaK"; nocase; content:"subject=FrEaK+SERVER"; nocase; content:"body="; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6071 BACKDOOR freak 1.0 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808 trojan-activity tcp $HOME_NET 1024: -> $EXTERNAL_NET any flow:from_server,established; content:"027FrEaK_ViCTiM"; depth:15; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6073 BACKDOOR freak 1.0 runtime detection - initial connection server-to-client www.ca.com/us/securityadvisor/pest/pest.aspx?id=453073808 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 7648 flow:to_server,established; content:"UAIIA"; depth:5; nocase; content:"XHX"; distance:0; nocase; content:"YANER"; distance:0; nocase; pcre:"/^UAIIA\s+XHX\s+YANER/smi"; flowbits:set,xhx_cts; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6074 BACKDOOR xhx 1.6 runtime detection - initial connection client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140 trojan-activity tcp $HOME_NET 7648 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,xhx_cts; content:" ["; depth:2; metadata:policy security-ips drop; classtype:trojan-activity; 6075 BACKDOOR xhx 1.6 runtime detection - initial connection server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1204 flow:to_server,established; content:"23L'esclave|09|49152|09|65535"; depth:23; metadata:policy security-ips drop; classtype:trojan-activity; 6076 BACKDOOR amiboide uploader runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453088579 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3505 flow:to_server,established; content:"info"; depth:4; flowbits:set,AutoSpy_GetInformation; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6077 BACKDOOR autospy runtime detection - get information trojan-activity tcp $HOME_NET 3505 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AutoSpy_GetInformation; content:"Product Name"; depth:12; metadata:policy security-ips drop; classtype:trojan-activity; 6078 BACKDOOR autospy runtime detection - get information www3.ca.com/securityadvisor/pest/pest.aspx?id=59685 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3505 flow:to_server,established; content:"frmauto"; depth:7; flowbits:set,AutoSpy_ShowAutoSpy; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6079 BACKDOOR autospy runtime detection - show autospy trojan-activity tcp $HOME_NET 3505 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AutoSpy_ShowAutoSpy; content:"autoSpY shown"; depth:13; metadata:policy security-ips drop; classtype:trojan-activity; 6080 BACKDOOR autospy runtime detection - show autospy www3.ca.com/securityadvisor/pest/pest.aspx?id=59685 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3505 flow:to_server,established; content:"nraider"; depth:7; flowbits:set,AutoSpy_ShowNudePicture; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6081 BACKDOOR autospy runtime detection - show nude pic trojan-activity tcp $HOME_NET 3505 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AutoSpy_ShowNudePicture; content:"nude Raider pic"; depth:15; metadata:policy security-ips drop; classtype:trojan-activity; 6082 BACKDOOR autospy runtime detection - show nude pic www3.ca.com/securityadvisor/pest/pest.aspx?id=59685 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3505 flow:to_server,established; content:"taskhide"; depth:8; flowbits:set,AutoSpy_HideTaskbar; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6083 BACKDOOR autospy runtime detection - hide taskbar trojan-activity tcp $HOME_NET 3505 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AutoSpy_HideTaskbar; content:"Taskbar hidden"; depth:14; metadata:policy security-ips drop; classtype:trojan-activity; 6084 BACKDOOR autospy runtime detection - hide taskbar www3.ca.com/securityadvisor/pest/pest.aspx?id=59685 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3505 flow:to_server,established; content:"mkdir"; depth:5; flowbits:set,AutoSpy_MakeDirectory; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6085 BACKDOOR autospy runtime detection - make directory trojan-activity tcp $HOME_NET 3505 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AutoSpy_MakeDirectory; content:"folder created"; depth:14; metadata:policy security-ips drop; classtype:trojan-activity; 6086 BACKDOOR autospy runtime detection - make directory www3.ca.com/securityadvisor/pest/pest.aspx?id=59685 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"resp1Conectado"; depth:14; flowbits:set,A_Trojan_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6087 BACKDOOR a trojan 2.0 runtime detection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,A_Trojan_InitConnection; content:"conec"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 6088 BACKDOOR a trojan 2.0 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=611 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"infme"; depth:5; flowbits:set,A_Trojan_GetMemoryInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6089 BACKDOOR a trojan 2.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,A_Trojan_GetMemoryInfo; content:"infme"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 6090 BACKDOOR a trojan 2.0 runtime detection - get memory info www3.ca.com/securityadvisor/pest/pest.aspx?id=611 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"infhd"; depth:5; flowbits:set,A_Trojan_GetHarddiskInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6091 BACKDOOR a trojan 2.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,A_Trojan_GetHarddiskInfo; content:"infhd"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 6092 BACKDOOR a trojan 2.0 runtime detection - get harddisk info www3.ca.com/securityadvisor/pest/pest.aspx?id=611 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"infdr"; depth:5; flowbits:set,A_Trojan_GetDriveInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6093 BACKDOOR a trojan 2.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,A_Trojan_GetDriveInfo; content:"infdr"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 6094 BACKDOOR a trojan 2.0 runtime detection - get drive info www3.ca.com/securityadvisor/pest/pest.aspx?id=611 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"infsy"; depth:5; flowbits:set,A_Trojan_GetSysInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6095 BACKDOOR a trojan 2.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,A_Trojan_GetSysInfo; content:"infsy"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 6096 BACKDOOR a trojan 2.0 runtime detection - get system info www3.ca.com/securityadvisor/pest/pest.aspx?id=611 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 27184 flow:to_server; content:"st"; depth:2; nocase; flowbits:set,Alvgus_CheckServer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6097 BACKDOOR alvgus 2000 runtime detection trojan-activity udp $HOME_NET 27184 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Alvgus_CheckServer; content:"stAlvgus"; depth:8; nocase; content:"Trojan"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"2000"; distance:0; nocase; pcre:"/^stAlvgus\'s\s+Trojan\s+Server\s+2000/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6098 BACKDOOR alvgus 2000 runtime detection - check server www3.ca.com/securityadvisor/pest/pest.aspx?id=44151 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 27184 flow:to_server; content:"di"; depth:2; nocase; flowbits:set,Alvgus_ViewDirectory; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6099 BACKDOOR alvgus 2000 runtime detection trojan-activity udp $HOME_NET 27184 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Alvgus_ViewDirectory; content:"diGetting"; depth:9; nocase; content:"content"; distance:0; nocase; content:"directory"; distance:0; nocase; pcre:"/^diGetting\s+content\s+of\s+directory\x3A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6100 BACKDOOR alvgus 2000 runtime detection - view content of directory www3.ca.com/securityadvisor/pest/pest.aspx?id=44151 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 27184 flow:to_server; content:"fe"; depth:2; nocase; flowbits:set,Alvgus_ExecuteCommand; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6101 BACKDOOR alvgus 2000 runtime detection trojan-activity udp $HOME_NET 27184 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Alvgus_ExecuteCommand; content:"feExecuting"; depth:11; nocase; content:"program"; distance:0; nocase; pcre:"/^feExecuting\s+program\x3A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6102 BACKDOOR alvgus 2000 runtime detection - execute command www3.ca.com/securityadvisor/pest/pest.aspx?id=44151 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 27184 flow:to_server; content:"tt"; depth:2; nocase; flowbits:set,Alvgus_UploadFile; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6103 BACKDOOR alvgus 2000 runtime detection trojan-activity udp $HOME_NET 27184 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Alvgus_UploadFile; content:"ttTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"to"; distance:0; nocase; pcre:"/^ttTransferring\s+file\s+to\x3A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6104 BACKDOOR alvgus 2000 runtime detection - upload file www3.ca.com/securityadvisor/pest/pest.aspx?id=44151 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 27184 flow:to_server; content:"tf"; depth:2; nocase; flowbits:set,Alvgus_DownloadFile; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6105 BACKDOOR alvgus 2000 runtime detection trojan-activity udp $HOME_NET 27184 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Alvgus_DownloadFile; content:"tfTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/^tfTransferring\s+file\s+from\x3A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6106 BACKDOOR alvgus 2000 runtime detection - download file www3.ca.com/securityadvisor/pest/pest.aspx?id=44151 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"ExecuteUnloadAll"; depth:16; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 6107 BACKDOOR backage 3.1 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=698 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 2589 flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:15; nocase; flowbits:set,backdoor.dagger.1.1.40.conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6108 BACKDOOR dagger v1.1.40 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=1477 trojan-activity tcp $HOME_NET 2589 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.dagger.1.1.40.conn; content:"|07 00 00 00 03 00 00 00|Yes"; depth:11; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6109 BACKDOOR dagger v1.1.40 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=1641 trojan-activity tcp $HOME_NET 9999 -> $EXTERNAL_NET any flow:from_server,established; content:"ForCed"; depth:6; nocase; content:"EnTrY"; distance:0; nocase; content:"|0D 0A 0D 0A 0D 0A|Connection"; distance:0; nocase; content:" Stable"; distance:0; nocase; pcre:"/^ForCed\s+EnTrY\s+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0AConnection\s+Stable/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6110 BACKDOOR forced entry v1.1 beta runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=2160 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:" |0D 0A|"; depth:3; nocase; flowbits:set,back.optix.1.32.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6111 BACKDOOR optix 1.32 runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,back.optix.1.32.conn.1; content:"022|AC|"; depth:4; nocase; flowbits:set,back.optix.1.32.conn.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6112 BACKDOOR optix 1.32 runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,back.optix.1.32.conn.2; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!"; distance:0; nocase; pcre:"/^001\xACOptix\s+Pro\s+v\d+\x2E\d+\s+Connected\s+Successfully\x21/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6113 BACKDOOR optix 1.32 runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"!!!Optix"; nocase; content:"Pro"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"Online!!!"; distance:0; nocase; pcre:"/^\x21{3}Optix\s+Pro\s+v\d+\x2E\d+\s+Server\s+Online\x21{3}/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6114 BACKDOOR optix 1.32 runtime detection - email notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/whitepages/page_me/1,,,00.html"; nocase; http_uri; content:"to="; nocase; content:"from="; nocase; content:"fromemail="; nocase; content:"body="; nocase; pcre:"/body=\x2521\x2521\x2521Optix\s+Pro\s+v\d+\x252E\d+\S+sErver\s+Online\x2521\x2521\x2521/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6115 BACKDOOR optix 1.32 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 50766 flow:to_server,established; content:"access flatboost6302"; depth:20; nocase; flowbits:set,back.fore.v1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6116 BACKDOOR fore v1.0 beta runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922 trojan-activity tcp $HOME_NET 50766 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,back.fore.v1.0.conn.1; content:"access ok "; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6117 BACKDOOR fore v1.0 beta runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1023 flow:to_server,established; content:"|0E|Get Resolution"; depth:15; nocase; flowbits:set,NetRunner_Init_Connection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6118 BACKDOOR net runner runtime detection - initial connection client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503 trojan-activity tcp $HOME_NET 1023 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetRunner_Init_Connection; content:"|0F|New Resoltutione"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6119 BACKDOOR net runner runtime detection - initial connection server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1023 flow:to_server,established; content:"|0D|Download File"; depth:14; nocase; flowbits:set,NetRunner_Download_File; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6120 BACKDOOR net runner runtime detection - download file client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503 trojan-activity tcp $HOME_NET 1023 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetRunner_Download_File; content:"|08|New File File"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6121 BACKDOOR net runner runtime detection - download file server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 20001 flow:to_server,established; content:"Millenium"; depth:9; nocase; pcre:"/^Millenium\s+\d+\x2E\d+\x2D/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 6122 BACKDOOR millenium v1.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076392 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 10666 flow:to_server; content:"10"; depth:2; nocase; flowbits:set,Ambush_Ping; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6123 BACKDOOR ambush 1.0 runtime detection - ping client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=238 trojan-activity udp $HOME_NET 10666 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Ambush_Ping; content:"=======>> AMBUSH v"; depth:18; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6124 BACKDOOR ambush 1.0 runtime detection - ping server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=238 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server; content:"This is made by yyt_hac!"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 6127 BACKDOOR dkangel runtime detection - udp client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 13473 flow:to_server,established; content:"getowner"; depth:8; flowbits:set,Chupacabra_GetComputerName; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6129 BACKDOOR chupacabra 1.0 runtime detection trojan-activity tcp $HOME_NET 13473 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Chupacabra_GetComputerName; content:"Owner|3A|"; depth:6; metadata:policy security-ips drop; classtype:trojan-activity; 6130 BACKDOOR chupacabra 1.0 runtime detection - get computer name www3.ca.com/securityadvisor/pest/pest.aspx?id=21339 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 13473 flow:to_server,established; content:"getname"; depth:7; flowbits:set,Chupacabra_GetUserName; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6131 BACKDOOR chupacabra 1.0 runtime detection trojan-activity tcp $HOME_NET 13473 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Chupacabra_GetUserName; content:"Current"; nocase; content:"User"; distance:0; nocase; content:"Logged"; distance:0; nocase; pcre:"/^Current\s+User\s+Logged\s+on\x3A/"; metadata:policy security-ips drop; classtype:trojan-activity; 6132 BACKDOOR chupacabra 1.0 runtime detection - get user name www3.ca.com/securityadvisor/pest/pest.aspx?id=21339 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 13473 flow:to_server,established; content:"sndmsg|5C|"; depth:7; metadata:policy security-ips drop; classtype:trojan-activity; 6133 BACKDOOR chupacabra 1.0 runtime detection - send messages www3.ca.com/securityadvisor/pest/pest.aspx?id=21339 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 13473 flow:to_server,established; content:"delete|5C|"; depth:7; metadata:policy security-ips drop; classtype:trojan-activity; 6134 BACKDOOR chupacabra 1.0 runtime detection - delete file www3.ca.com/securityadvisor/pest/pest.aspx?id=21339 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12566 flow:to_server,established; content:">>Send Capture"; depth:14; metadata:policy security-ips drop; classtype:trojan-activity; 6136 BACKDOOR clindestine 1.0 runtime detection - capture big screen www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12566 flow:to_server,established; content:"small"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 6137 BACKDOOR clindestine 1.0 runtime detection - capture small screen www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12566 flow:to_server,established; content:"info"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; 6138 BACKDOOR clindestine 1.0 runtime detection - get computer info www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12566 flow:to_server,established; content:"system"; depth:6; metadata:policy security-ips drop; classtype:trojan-activity; 6139 BACKDOOR clindestine 1.0 runtime detection - get system directory www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6666 flow:to_server,established; content:"DCIClient12|0A|"; depth:12; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6143 BACKDOOR dark connection inside v1.2 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075571 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"notifuin"; depth:8; nocase; flowbits:set,Mantis_Notify1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6144 BACKDOOR mantis runtime detection - sent notify option client-to-server 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=3648 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Mantis_Notify1; content:"sendsubject"; depth:11; nocase; flowbits:set,Mantis_Notify2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6145 BACKDOOR mantis runtime detection - sent notify option server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=3648 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,Mantis_Notify2; content:"notifsubject"; depth:12; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 6146 BACKDOOR mantis runtime detection - sent notify option client-to-server 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=3648 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"gotoadres"; depth:9; nocase; flowbits:set,Mantis_GotoAdress; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6147 BACKDOOR mantis runtime detection - go to address client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=3648 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Mantis_GotoAdress; content:"adressgoneto"; depth:12; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6148 BACKDOOR mantis runtime detection - go to address server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=3648 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6969 flow:to_server,established; content:"con"; depth:3; nocase; flowbits:set,backdoor.netcontro.1.0.8.conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6149 BACKDOOR netcontrol v1.0.8 runtime detection www.system-help.com/spyware/netcontrol/ trojan-activity tcp $HOME_NET 6969 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.netcontro.1.0.8.conn; content:"con1.08"; depth:7; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6150 BACKDOOR netcontrol v1.0.8 runtime detection www.system-help.com/spyware/netcontrol/ trojan-activity tcp $HOME_NET 33812 -> $EXTERNAL_NET any flow:from_server,established; content:" You"; depth:4; nocase; content:"are"; distance:0; nocase; content:"now"; distance:0; nocase; content:"connected"; distance:0; nocase; content:"to"; distance:0; nocase; content:"an"; distance:0; nocase; content:"BackAtTaCk"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/You\s+are\s+now\s+connected\s+to\s+an\s+BackAtTaCk\s+server/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6151 BACKDOOR back attack v1.4 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074438 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 4950 flow:to_server; content:"chdir "; depth:6; nocase; flowbits:set,Dirtxt_Chdir; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6152 BACKDOOR dirtxt runtime detection - chdir client-to-server www.spywareguide.com/spydet_1396_dirtxt_trojan.html trojan-activity udp $HOME_NET 4950 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Dirtxt_Chdir; content:"chdir "; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6153 BACKDOOR dirtxt runtime detection - chdir server-to-client www.spywareguide.com/spydet_1396_dirtxt_trojan.html trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 4950 flow:to_server; content:"info"; depth:4; nocase; flowbits:set,Dirtxt_Info; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6154 BACKDOOR dirtxt runtime detection - info client-to-server www.spywareguide.com/spydet_1396_dirtxt_trojan.html trojan-activity udp $HOME_NET 4950 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Dirtxt_Info; content:"info"; depth:4; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6155 BACKDOOR dirtxt runtime detection - info server-to-client www.spywareguide.com/spydet_1396_dirtxt_trojan.html trojan-activity udp $EXTERNAL_NET any -> $HOME_NET 4950 flow:to_server; content:"view"; depth:4; nocase; flowbits:set,Dirtxt_View; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6156 BACKDOOR dirtxt runtime detection - view client-to-server www.spywareguide.com/spydet_1396_dirtxt_trojan.html trojan-activity udp $HOME_NET 4950 -> $EXTERNAL_NET any flow:to_client; flowbits:isset,Dirtxt_View; content:"view"; depth:4; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6157 BACKDOOR dirtxt runtime detection - view server-to-client www.spywareguide.com/spydet_1396_dirtxt_trojan.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:to_server,established; content:"enableklog"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6159 BACKDOOR delirium of disorder runtime detection - enable keylogger www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6071 flow:to_server,established; content:"stopklog"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6160 BACKDOOR delirium of disorder runtime detection - stop keylogger www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|03 00 1C 00 00 00 00 00 01|Furax "; depth:15; nocase; content:"Server|00|"; distance:0; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+\d+\.\d+\w+\s+Server\x00/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6161 BACKDOOR furax 1.0 b2 runtime detection www.megasecurity.org/trojans/f/furax/Furax1.0b2.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"GOODPWD"; depth:7; nocase; flowbits:set,backdoor.psyrat.runtime.detection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6164 BACKDOOR psyrat 1.0 runtime detection www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.psyrat.runtime.detection; content:"PsyRAT_10A"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6165 BACKDOOR psyrat 1.0 runtime detection www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html trojan-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; content:"Connected to"; depth:12; nocase; pcre:"/^Connected\s+to\s+[^\r\n]*\x28\d+\.\d+\.\d+\.\d+\x29/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6166 BACKDOOR unicorn runtime detection - initial connection www.spywareguide.com/product_show.php?id=1506 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 666 flow:to_server,established; content:"WALLPAPER "; depth:10; nocase; flowbits:set,Unicore_SetWallpaper; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6167 BACKDOOR unicorn runtime detection - set wallpaper client-to-server www.spywareguide.com/product_show.php?id=1506 trojan-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Unicore_SetWallpaper; content:"Wallpaper Changed"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6168 BACKDOOR unicorn runtime detection - set wallpaper server-to-client www.spywareguide.com/product_show.php?id=1506 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 2600 flow:to_server,established; content:"iiiiiiinfo"; depth:10; nocase; flowbits:set,backdoor.digital.rootbeer.conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6169 BACKDOOR digital rootbeer runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=1641 trojan-activity tcp $HOME_NET 2600 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.digital.rootbeer.conn; content:"/NFO,Registered"; depth:15; nocase; content:"Owner|3A|"; distance:0; nocase; content:"|0D 0A|Current"; distance:0; nocase; content:" user|3A|"; distance:0; nocase; pcre:"/^\x2FNFO\x2CRegistered\s+Owner\x3A\s+[^\r\n]*\x0D\x0ACurrent\s+user\x3A\s+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6170 BACKDOOR digital rootbeer runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=1641 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6969 flow:to_server,established; content:"ver|0D 0A|"; depth:5; flowbits:set,CookieMonster_GetVersionInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6171 BACKDOOR cookie monster 0.24 runtime detection trojan-activity tcp $HOME_NET 6969 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,CookieMonster_GetVersionInfo; content:"Cookie"; content:"Monster"; distance:0; content:"server"; distance:0; content:"engine"; distance:0; pcre:"/Cookie\s+Monster\s+server\s+engine/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6172 BACKDOOR cookie monster 0.24 runtime detection - get version info www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6969 flow:to_server,established; content:"ls|0D 0A|"; depth:4; flowbits:set,CookieMonster_FileExplorer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6173 BACKDOOR cookie monster 0.24 runtime detection trojan-activity tcp $HOME_NET 6969 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,CookieMonster_FileExplorer; content:"ls|01|.|01|..|01|"; depth:8; metadata:policy security-ips alert; classtype:trojan-activity; 6174 BACKDOOR cookie monster 0.24 runtime detection - file explorer www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6969 flow:to_server,established; content:"krnlkill|0D 0A|"; depth:10; metadata:policy security-ips drop; classtype:trojan-activity; 6175 BACKDOOR cookie monster 0.24 runtime detection - kill kernel www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"Server|3A|"; nocase; content:"Guptachar"; distance:0; nocase; pcre:"/^Server\x3A\s+Guptachar\s+\d+\x2E\d+/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 6176 BACKDOOR guptachar 2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073814 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"Killpro|7C|"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6177 BACKDOOR ultimate destruction runtime detection - kill process client-to-server www.splintersecurity.com trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"Killwidows|7C|"; depth:11; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6178 BACKDOOR ultimate destruction runtime detection - kill windows client-to-server www.splintersecurity.com trojan-activity tcp $HOME_NET 5400 -> $EXTERNAL_NET any flow:from_server,established; content:"Blade Runner"; depth:12; nocase; pcre:"/^Blade\s+Runner\s+ver\s+\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6179 BACKDOOR bladerunner 0.80 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=862 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 57341 flow:to_server,established; content:"NSClient-sPISPJ99"; depth:17; nocase; flowbits:set,backdoor.netraider.0.0.runtime; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6180 BACKDOOR netraider 0.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=3979 trojan-activity tcp $HOME_NET 57341 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.netraider.0.0.runtime; content:"NSServer-sPISPJ99"; depth:17; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6181 BACKDOOR netraider 0.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=3979 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/trackedevent.aspx?"; fast_pattern; nocase; http_uri; content:"eid="; nocase; http_uri; content:"mt="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"basename="; nocase; http_uri; content:"time="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6183 SPYWARE-PUT Adware 180Search assistant runtime detection - tracked event URL www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/config.aspx?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"duid="; nocase; http_uri; content:"partner_id="; nocase; http_uri; content:"product_id="; http_uri; content:"Host|3A| config.180solutions.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6184 SPYWARE-PUT Adware 180Search assistant runtime detection - config upload www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| SpywareStrike"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6186 SPYWARE-PUT Other-Technologies SpywareStrike Runtime Detection www.spywareguide.com/product_show.php?id=2438 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ist/scripts/"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6187 SPYWARE-PUT Adware ISTBar runtime detection - scripts www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ist/bars/istbar"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6188 SPYWARE-PUT Adware ISTBar runtime detection - bar www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Try2Find Toolbar"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 6189 SPYWARE-PUT Trackware try2find detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096392 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-SpectorSerial|3A|"; nocase; content:"X-SpectorMachineID|3A|"; fast_pattern:only; content:"X-SpectorBuild|3A|"; nocase; content:"eBlaster"; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 6190 SPYWARE-PUT Keylogger eblaster 5.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090687 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Visicom"; fast_pattern:only; content:"Host|3A| onetoolbar"; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 6191 SPYWARE-PUT Trackware onetoolbar runtime detection www.spywareguide.com/product_show.php?id=2746 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/display.aspx?"; nocase; http_uri; content:"adid="; nocase; http_uri; content:"kwid="; nocase; http_uri; content:"umt="; nocase; http_uri; content:"inid="; nocase; http_uri; content:"Referer|3A| "; nocase; http_header; content:"tv.seekmo.com/showme.aspx?keyword="; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6193 SPYWARE-PUT Adware seekmo runtime detection - pop up ads www.spywareguide.com/product_show.php?id=2368 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/config.aspx?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"duid="; nocase; http_uri; content:"partner_id="; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"Host|3A| config.seekmo.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6194 SPYWARE-PUT Adware seekmo runtime detection - config upload www.spywareguide.com/product_show.php?id=2368 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/downloads/ff/"; nocase; http_uri; content:"/seekmo/npclntax.CAB"; nocase; http_uri; content:"Host|3A| installs.seekmo.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6195 SPYWARE-PUT Adware seekmo runtime detection - download .cab www.spywareguide.com/product_show.php?id=2368 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cs/cs.aspx?"; nocase; http_uri; content:"Host|3A| cs.smartshopper.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6196 SPYWARE-PUT Hijacker smart shopper runtime detection - services requests vil.mcafeesecurity.com/vil/content/v_133312.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"smrtshpr-cs-"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 6197 SPYWARE-PUT Hijacker smart shopper runtime detection - track/upgrade/report activities vil.mcafeesecurity.com/vil/content/v_133312.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/content/logUserAction.do"; fast_pattern; nocase; http_uri; content:"uuid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"stsb_SitelistVersion="; nocase; http_uri; content:"stsb_Os="; nocase; http_uri; content:"stsb_Browser"; nocase; http_uri; content:"stsb_Version"; nocase; http_uri; content:"stsb_Download"; nocase; http_uri; content:"stsb_InstallVersion"; nocase; http_uri; content:"usageEnabled"; nocase; http_uri; content:"phishingEnabled"; nocase; http_uri; content:"shoppingEnabled"; nocase; http_uri; content:"User-Agent|3A| SQTR_VERIFY"; nocase; http_header; metadata:policy security-ips alert; classtype:successful-recon-limited; 6198 SPYWARE-PUT Trackware squaretrade side bar runtime detection - collect user information vil.mcafeesecurity.com/vil/content/v_137515.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/files/adframe.aspx?"; nocase; http_uri; content:"SE="; nocase; http_uri; content:"ST="; nocase; http_uri; content:"Host|3A| www.searchreslt.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6199 SPYWARE-PUT Hijacker smart search runtime detection - hijack/ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/settings/"; nocase; content:"Host|3A| www.searchreslt.com"; distance:0; nocase; metadata:policy security-ips alert; classtype:misc-activity; 6200 SPYWARE-PUT Hijacker smart search runtime detection - get settings www3.ca.com/securityadvisor/pest/pest.aspx?id=453078876 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/twain/servlet/Twain"; fast_pattern; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"contextpeak="; nocase; http_uri; content:"contextcount="; nocase; http_uri; content:"countrycodein="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6201 SPYWARE-PUT Adware twaintec runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453078844 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/a/Aid.sen?StubName=farmmext"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| Stubby"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6202 SPYWARE-PUT Trickler farmmext installtime/update request www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/a/Drk.syn?"; fast_pattern; nocase; http_uri; content:"bho="; nocase; http_uri; content:"DistID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 6203 SPYWARE-PUT Trickler farmmext runtime detection - drk.syn request www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/imp/servlet/ImpServe?"; fast_pattern; nocase; http_uri; content:"urlContext="; nocase; http_uri; content:"domainContext="; nocase; http_uri; content:"distID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; content:"country="; nocase; http_uri; content:"transponderID="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6204 SPYWARE-PUT Trickler farmmext runtime detection - track activity www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784 misc-activity tcp $HOME_NET 7001 -> $EXTERNAL_NET any flow:from_server,established; content:"hello>WELCOMEwho do u want to phuk today>"; depth:41; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6205 SPYWARE-PUT Hacker-Tool freak 88 das runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=2181 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 42 flow:to_server,established; content:"|07|MESSAGE|00 00 00 00|"; depth:12; metadata:policy security-ips alert; classtype:misc-activity; 6206 SPYWARE-PUT Hacker-Tool sin stealer 1.1 runtime detection www.megasecurity.org/trojans/s/sinstealer/Sinstealer1.1.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/GetAd/"; nocase; http_uri; content:"Host|3A| "; nocase; content:"deskwizz.com"; distance:0; nocase; metadata:policy security-ips alert; classtype:misc-activity; 6209 SPYWARE-PUT Adware deskwizz/zquest runtime detection - get config information / ad banner www.symantec.com/avcenter/venc/data/adware.zquest.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/select/Get"; nocase; http_uri; pcre:"/select\x2FGet(One|SbAts)\x2Ephp/Ui"; content:"Host|3A| "; nocase; content:"deskwizz.com"; distance:0; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6211 SPYWARE-PUT Adware deskwizz runtime detection - pop-up ad request www.spywareguide.com/product_show.php?id=1127 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| CommonName Agent"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6212 SPYWARE-PUT Adware commonname runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453078618 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".aspx?"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"Host|3A| client.browseraccelerator.com"; fast_pattern:only; pcre:"/\x2F(word)|(news)|(weather)|(joke)|(tip)\x2Easpx\?/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 6213 SPYWARE-PUT Hijacker 7fasst runtime detection - auto requests www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchweb.aspx?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6214 SPYWARE-PUT Hijacker 7fasst runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data/track.aspx?"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6215 SPYWARE-PUT Hijacker 7fasst runtime detection - track www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/copilot/copilotcfg.jsp?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"iWon"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6216 SPYWARE-PUT Adware aornum/iwon copilot runtime detection - config www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ad_string.js?"; fast_pattern; nocase; http_uri; content:"tagad"; nocase; http_uri; content:"site=iwon"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6218 SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bonzibuddy/"; fast_pattern; nocase; http_uri; content:".nbd"; nocase; http_uri; pcre:"/\x2Fbonzibuddy\x2F(updates|products|daily)\x2Enbd/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 6219 SPYWARE-PUT Adware bonzibuddy runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=59256 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A| Boss Everyware"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 6220 SPYWARE-PUT Keylogger boss everyware runtime detection www.spywareguide.com/product_show.php?id=4 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A| keys<keys@hotpop.com>"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 6221 SPYWARE-PUT Keylogger computerspy runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453072991 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Delfin/ini.html"; nocase; http_uri; content:"pBrd"; nocase; http_uri; content:"pIsp"; nocase; http_uri; content:"pVer"; nocase; http_uri; content:"pSer"; nocase; http_uri; content:"User-Agent|3A| PromulGate"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6222 SPYWARE-PUT Adware delfin media viewer runtime detection - contact server www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Delfin/schedule.html"; nocase; http_uri; content:"pBrd"; nocase; http_uri; content:"pSch"; nocase; http_uri; content:"pIsp"; nocase; http_uri; content:"pVer"; http_uri; content:"pZip"; nocase; http_uri; content:"pSer"; nocase; http_uri; content:"User-Agent|3A| PromulGate"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6223 SPYWARE-PUT Adware delfin media viewer runtime detection - retrieve schedule www3.ca.com/securityadvisor/pest/pest.aspx?id=453076775 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/q.cgi?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| wwd.ieplugin"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6224 SPYWARE-PUT Hijacker ieplugin runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453072530 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bar/links.php?affid="; nocase; http_uri; content:"Host|3A| toolbar.i-lookup.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6230 SPYWARE-PUT Hijacker i-lookup runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074914 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/thumbnail.cgi"; nocase; http_uri; content:"DURL"; nocase; http_uri; content:"Host|3A| www.mirarsearch.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6232 SPYWARE-PUT Adware mirar runtime detection - thumbnail www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/delayed.cgi"; nocase; http_uri; content:"g"; nocase; http_uri; content:"edata"; nocase; http_uri; content:"q"; nocase; http_uri; content:"User-Agent|3A| Mirar_KeywordContent"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6233 SPYWARE-PUT Adware mirar runtime detection - delayed www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/v70click.cgi"; nocase; http_uri; content:"Host|3A| www.mirarsearch.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6234 SPYWARE-PUT Adware mirar runtime detection - ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/abt?data="; nocase; http_uri; content:"User-Agent|3A| Travel Update"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6236 SPYWARE-PUT Adware lop runtime detection - pass info to server www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"User-Agent|3A| Download UBAgent"; fast_pattern:only; content:"Host|3A| upd.lop.com"; nocase; metadata:policy security-ips alert; classtype:misc-activity; 6237 SPYWARE-PUT Adware lop runtime detection - check update request www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tba/"; nocase; content:"guid="; distance:0; nocase; content:"version="; distance:0; nocase; content:"clientid="; distance:0; nocase; content:"time="; distance:0; nocase; content:"locale="; distance:0; nocase; content:"session="; distance:0; nocase; content:"id="; distance:0; nocase; content:"idle="; distance:0; nocase; content:"queued="; distance:0; nocase; content:"crc="; distance:0; nocase; content:"User-Agent|3A| TPSystem"; fast_pattern:only; pcre:"/\x2Ftba\x2F(cm)|(cu)\?/smi"; metadata:policy security-ips drop; classtype:misc-activity; 6238 SPYWARE-PUT Adware lop runtime detection - collect info request 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tba/p?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"clientid="; nocase; http_uri; content:"time="; nocase; http_uri; content:"locale="; nocase; http_uri; content:"session="; nocase; http_uri; content:"idle="; nocase; http_uri; content:"crc="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 6239 SPYWARE-PUT Adware lop runtime detection - collect info request 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/prod/C2mediapops/pop3.asp?"; fast_pattern; nocase; http_uri; content:"mt="; nocase; http_uri; content:"popid="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6240 SPYWARE-PUT Adware lop runtime detection - pop up ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/exe/dns.html"; nocase; http_uri; content:"User-Agent|3A| TPSystem"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6241 SPYWARE-PUT Adware lop runtime detection - ie autosearch hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"svc="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"type="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"art="; nocase; http_uri; content:"acct="; nocase; http_uri; content:"url="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"view="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6242 SPYWARE-PUT Hijacker coolwebsearch.cameup runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/justas.css"; nocase; http_uri; content:"Host|3A| www.kliksearch.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6243 SPYWARE-PUT Hijacker coolwebsearch cameup runtime detection - home page hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/notfound.php"; nocase; http_uri; content:"Host|3A| www.cameup.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6244 SPYWARE-PUT Hijacker coolwebsearch cameup runtime detection - ie auto search hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/2gt.php"; nocase; http_uri; content:"cp="; nocase; http_uri; content:"dn=daosearch.com"; fast_pattern; nocase; http_uri; content:"ckey="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"iphsh="; nocase; http_uri; content:"tm="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6245 SPYWARE-PUT Hijacker coolwebsearch startpage runtime detection www.spywareguide.com/product_show.php?id=599 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/404/search.php?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"Keywords="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A| www.navisearch.net"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6246 SPYWARE-PUT Hijacker exact navisearch runtime detection - search hijack www.spywareguide.com/product_show.php?id=1169 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/IntermixWO/Redirect/HelpRedirect.asp?"; fast_pattern; nocase; http_uri; content:"var="; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6247 SPYWARE-PUT Adware ezula toptext runtime detection - help redirect www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/TopText/pop-popup.html"; fast_pattern; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6248 SPYWARE-PUT Adware ezula toptext runtime detection - popup www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/IntermixWO/redirect/redirect.asp?"; fast_pattern; nocase; http_uri; content:"DS_ID="; nocase; http_uri; content:"PubName="; nocase; http_uri; content:"UV_ID="; nocase; http_uri; content:"country="; nocase; http_uri; content:"region="; nocase; http_uri; content:"city="; nocase; http_uri; content:"zip="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6249 SPYWARE-PUT Adware ezula toptext runtime detection - redirect www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hotbar"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hotbar/Hsmi"; metadata:policy security-ips alert; classtype:misc-activity; 6250 SPYWARE-PUT Adware hotbar runtime detection - hotbar user-agent www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hostie"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hostie/Hsmi"; metadata:policy security-ips alert; classtype:misc-activity; 6251 SPYWARE-PUT Adware hotbar runtime detection - hostie user-agent www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tbar?"; nocase; http_uri; content:"prt="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"s="; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 6252 SPYWARE-PUT Trackware quicksearch toolbar runtime detection - search request www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/log/log.cgi?"; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 6253 SPYWARE-PUT Trackware quicksearch toolbar runtime detection - log user ativity www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tbar?"; nocase; http_uri; content:"upartner="; nocase; http_uri; content:"ps="; nocase; http_uri; content:"bidpart="; nocase; http_uri; content:"rank="; nocase; http_uri; content:"query="; nocase; http_uri; content:"redir="; nocase; http_uri; content:"Host|3A| quick.qsrch.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 6254 SPYWARE-PUT Trackware quicksearch toolbar runtime detection - redirect www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"tag="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"source="; nocase; http_uri; content:"User-Agent|3A| ToolBar"; nocase; http_header; content:"Host|3A| upgrade.qsrch.info"; nocase; http_header; metadata:policy security-ips drop; classtype:successful-recon-limited; 6255 SPYWARE-PUT Trackware quicksearch toolbar runtime detection - update www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680 misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"907CA0E5-CE84-11D6-9508-02608CDD2846"; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3A\s*\x7B?\s*907CA0E5-CE84-11D6-9508-02608CDD2846/si"; metadata:policy security-ips drop; classtype:misc-activity; 6256 SPYWARE-PUT Adware searchsquire installtime/auto-update www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/testgeonew.php"; nocase; http_uri; content:"Referer|3A| http|3A|//ad.searchsquire.com/blank.html"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6257 SPYWARE-PUT Adware searchsquire runtime detection - testgeonew query www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/engine"; nocase; http_uri; content:".txt"; nocase; http_uri; pcre:"/\x2Fengine2?\x2Etxt/Ui"; content:"User-Agent|3A|"; nocase; http_header; content:"Agent"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Agent[0-9]{7}/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6258 SPYWARE-PUT Adware searchsquire runtime detection - get engine file www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"term="; nocase; http_uri; content:"partner=searchsquire"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6259 SPYWARE-PUT Adware searchsquire runtime detection - search forward www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cmapp/zx-popup.php?"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"m="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A| newads1.com"; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6260 SPYWARE-PUT Adware overpro runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090731 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"Keywords="; nocase; http_uri; content:"Host|3A| www.slinkyslate"; fast_pattern:only; metadata:policy security-ips drop; classtype:misc-activity; 6261 SPYWARE-PUT Trickler slinkyslate toolbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453082746 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/adi/fandango.dart/theaterselectionpage|3B|"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6263 SPYWARE-PUT Hijacker gigatech superbar runtime detection - collect information www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/superbar/movie.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6264 SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - movie www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/superbar/engine.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"engine="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6265 SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - engine www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=checkUpdate"; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6266 SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - check update www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=getUpdate"; nocase; content:"fileName="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6267 SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - get update www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/SUPERBARINSTALL_2.2.1.EXE"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6268 SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - download exe www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/superbar/event.php"; fast_pattern; nocase; http_uri; content:"event="; nocase; content:"gmt="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; classtype:misc-activity; 6269 SPYWARE-PUT Hijacker gigatech superbar runtime detection - track event www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bin/findwhat.dll"; nocase; http_uri; content:"getresults"; nocase; http_uri; content:"base="; nocase; http_uri; content:"mt="; nocase; http_uri; content:"dc="; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"ip_addr="; nocase; http_uri; content:"User-Agent|3A| MyBrowser"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6270 SPYWARE-PUT Hijacker topicks runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094103 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/AD/UCMD?"; fast_pattern; nocase; http_uri; content:"&ID={"; nocase; http_uri; content:"&rand="; nocase; http_uri; metadata:policy security-ips alert, service http; classtype:misc-activity; 6271 SPYWARE-PUT Trickler bundleware runtime detection www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ca/servlet/Alchem"; http_uri; content:"StubName"; nocase; content:"alchem"; distance:0; nocase; content:"User-Agent|3A| Stubby"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6274 SPYWARE-PUT Trickler clickalchemy runtime detection www.spywareguide.com/product_show.php?id=1095 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"source=IncrediFind"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 6275 SPYWARE-PUT Hijacker incredifind runtime detection - cookie www3.ca.com/securityadvisor/pest/pest.aspx?id=453077295 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"target="; nocase; http_uri; content:"tv="; nocase; http_uri; content:"tu="; nocase; http_uri; content:"td="; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"tt="; http_uri; content:"search_string="; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6279 SPYWARE-PUT Hijacker sidefind runtime detection www.spywareguide.com/product_show.php?id=1147 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/javascripts/common.js"; fast_pattern; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"origin=sidefind"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6280 SPYWARE-PUT Hijacker sidefind runtime detection - cookie www3.ca.com/securityadvisor/pest/pest.aspx?id=453088285 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| istsvc"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6281 SPYWARE-PUT Hijacker yoursitebar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453093992 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"YOUR CUSTOM TOOLBAR"; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 6282 SPYWARE-PUT Hijacker customtoolbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074937 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sitereview.asmx/GetReview"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"SITE="; nocase; http_uri; content:"TUID="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6283 SPYWARE-PUT Hijacker websearch runtime detection - sitereview www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/WebStat.asmx/GetXML2"; fast_pattern; nocase; http_uri; content:"sDate="; nocase; http_uri; content:"sModule="; nocase; http_uri; content:"sCID="; nocase; http_uri; content:"sIP="; nocase; http_uri; content:"sURL="; nocase; http_uri; content:"sReferrer="; nocase; http_uri; content:"sBT="; nocase; http_uri; content:"sAgent="; nocase; http_uri; content:"sName="; nocase; http_uri; content:"sAction="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6284 SPYWARE-PUT Hijacker websearch runtime detection - webstat www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"024"; depth:3; nocase; flowbits:set,backdoor.antilamer1.1.conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6285 BACKDOOR antilamer 1.1 runtime detection - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.antilamer1.1.conn; content:"024|C2 E5 F0 F1 E8 FF| |F1 E5 F0 E2 E5 F0 E0| - 1.1"; depth:23; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6286 BACKDOOR antilamer 1.1 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222 trojan-activity tcp $HOME_NET 23 -> $EXTERNAL_NET any flow:from_server,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/^We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6287 BACKDOOR fictional daemon 4.4 runtime detection - telent www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 7306 flow:to_server,established; content:"Netspy"; nocase; content:"Version"; distance:0; nocase; content:"service"; distance:0; nocase; pcre:"/^Netspy\s+Version\s+\d+\x2E\d+\r\nservice\x3A/smi"; flowbits:set,Netspy_Command_Pattern; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6289 BACKDOOR netspy runtime detection - command pattern client-to-server www.spywareguide.com/product_show.php?id=434 trojan-activity tcp $HOME_NET 7306 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Netspy_Command_Pattern; content:"Netspy"; nocase; content:"Version"; distance:0; nocase; content:"STATUS"; distance:0; nocase; pcre:"/^Netspy\s+Version\s+\d+\x2E\d+\r\nSTATUS\x3A/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 6290 BACKDOOR netspy runtime detection - command pattern server-to-client www.spywareguide.com/product_show.php?id=434 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=JJB+Server"; nocase; content:"fromemail=JJB"; nocase; content:"subject=JJB+Pager"; nocase; content:"body=JJ+BackDoor+-+v"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6291 BACKDOOR justjoke v2.6 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073017 trojan-activity tcp $HOME_NET 1337 -> $EXTERNAL_NET any flow:from_server,established; content:"MV 1.0"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6292 BACKDOOR joker ddos v1.0.1 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1337 flow:to_server,established; content:"C1 "; depth:3; nocase; pcre:"/^C1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6293 BACKDOOR joker ddos v1.0.1 runtime detection - bomb - initial flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749 trojan-activity tcp $HOME_NET 1337 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.1; content:"M1 "; depth:3; nocase; pcre:"/^M1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6294 BACKDOOR joker ddos v1.0.1 runtime detection - bomb - second flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1337 flow:to_server,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.2; content:"C2 "; depth:3; nocase; pcre:"/^C2\s\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6295 BACKDOOR joker ddos v1.0.1 runtime detection - bomb www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from="; nocase; content:"fromemail="; nocase; content:"subject=Insurrection+Page"; nocase; content:"body="; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6296 BACKDOOR insurrection 1.1.0 runtime detection - icq notification 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/blah.cgi"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"id=Insurrection"; nocase; http_uri; content:"win="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6297 BACKDOOR insurrection 1.1.0 runtime detection - icq notification 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"sin"; depth:3; nocase; pcre:"/^sin\d+\x3A[^\r\n]*\x3A\d+\x3A\d+\x3A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6298 BACKDOOR insurrection 1.1.0 runtime detection - reverse connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"Insurrection1"; depth:13; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6299 BACKDOOR insurrection 1.1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/friendship/email_thank_you?"; nocase; http_uri; content:"nick_name=CIA-Test"; nocase; http_uri; content:"user_email=ciatest@icq.com"; nocase; http_uri; content:"friend_nickname=CIA-Notify-Tezt"; nocase; http_uri; pcre:"/\x2Ffriendship\x2Femail_thank_you\?[^\r\n]*nick_name=CIA-Test[^\r\n]*friend_nickname=CIA-Notify-Tezt/Ui"; metadata:policy security-ips drop; classtype:trojan-activity; 6300 BACKDOOR cia 1.3 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"verifyPASS"; depth:10; flowbits:set,CIA13_conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6302 BACKDOOR cia runtime detection - initial connection - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,CIA13_conn; content:"passcorrect|3B|"; nocase; content:"CIA"; distance:0; nocase; pcre:"/^passcorrect\x3B\d+\x3B\d+\x3BCIA/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6303 BACKDOOR cia runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260 trojan-activity tcp $HOME_NET 1207 -> $EXTERNAL_NET any flow:from_server,established; content:"R|00|SoftWAR Server"; depth:16; nocase; flowbits:set,bit.SoftWARShadowThiefInitialconnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6304 BACKDOOR softwar shadowthief runtime detection - initial connection - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=19977 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1207 flow:from_client,established; flowbits:isset,bit.SoftWARShadowThiefInitialconnection; content:"|01|SoftWAR Client|00|"; depth:18; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6305 BACKDOOR softwar shadowthief runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=19977 trojan-activity tcp $HOME_NET 6912 -> $EXTERNAL_NET any flow:from_server,established; content:"SHIT-HEEP"; depth:9; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6306 BACKDOOR shit heep runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=5451 trojan-activity tcp $HOME_NET 6660 -> $EXTERNAL_NET any flow:from_server,established; content:"accept|3A|"; depth:7; nocase; flowbits:set,bit.LameSpyInitialconnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6307 BACKDOOR lamespy runtime detection - initial connection - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=3370 trojan-activity tcp $HOME_NET 6660 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,bit.LameSpyInitialconnection; content:"cname|3A|"; depth:6; nocase; content:"Command Sendet"; distance:0; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6308 BACKDOOR lamespy runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=3370 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"MSG "; depth:4; nocase; pcre:"/^MSG\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_Msg; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6312 BACKDOOR net demon runtime detection - message send www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetDemon_Msg; content:"WAIT|0A|"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6313 BACKDOOR net demon runtime detection - message response www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"openbrowser "; depth:12; nocase; pcre:"/^openbrowser\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_OpenBrowser; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6314 BACKDOOR net demon runtime detection - open browser request www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetDemon_OpenBrowser; content:"browseropened|0A|"; depth:14; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6315 BACKDOOR net demon runtime detection - open browser response www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"GETLIST "; depth:8; nocase; pcre:"/^GETLIST\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_FileManager; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6316 BACKDOOR net demon runtime detection - file manager request www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetDemon_FileManager; content:"FILESIZE>"; depth:9; nocase; pcre:"/^FILESIZE\x3E[^\r\n]*\x3E\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6317 BACKDOOR net demon runtime detection - file manager response www3.ca.com/securityadvisor/pest/pest.aspx?id=4029 trojan-activity tcp $HOME_NET 623 -> $EXTERNAL_NET any flow:from_server,established; content:"RTB"; depth:3; nocase; content:"666"; distance:0; nocase; content:"Firewall"; distance:0; nocase; content:"Guarded"; distance:0; nocase; content:"Port"; distance:0; nocase; content:"Your"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"is"; distance:0; nocase; pcre:"/^RTB\s+666\s+v\x2E\d+\x2E\d+\x3B\s+Firewall\s+Guarded\s+Port\x2E\s+Your\s+IP\s+is/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6318 BACKDOOR rtb666 runtime detection www.spywareguide.com/product_show.php?id=1501 trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 8012 flow:to_server; content:"aComprobar"; nocase; content:"si"; distance:0; nocase; content:"esta"; distance:0; nocase; content:"conectadoa"; distance:0; nocase; pcre:"/\x23\x31\x23aComprobar\s+si\s+esta\s+conectadoa\x232\x23\x233\x23\x23f\x23/smi"; flowbits:set,PtakkS_Keepalive; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6320 BACKDOOR ptakks2.1 runtime detection - keepalive www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909 trojan-activity udp $EXTERNAL_NET 8012 -> $HOME_NET any flow:to_client; flowbits:isset,PtakkS_Keepalive; content:",jRj,"; metadata:policy security-ips alert; classtype:trojan-activity; 6321 BACKDOOR ptakks2.1 runtime detection - keepalive acknowledgement www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909 trojan-activity udp $HOME_NET any -> $EXTERNAL_NET 8012 flow:to_server; content:",|3A|,j"; nocase; content:"G,o,,y,"; distance:0; nocase; pcre:"/\x2C\x3A\x2C\x6A[^\r\n]*\x47\x2C\x6F\x2C\x2C\x79\x2C/"; metadata:policy security-ips alert; classtype:trojan-activity; 6322 BACKDOOR ptakks2.1 runtime detection - command pattern www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 47221 flow:to_server,established; content:"&raport"; depth:7; nocase; flowbits:set,bit.3xBackdoorconnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6323 BACKDOOR 3xBackdoor runtime detection - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228 trojan-activity tcp $HOME_NET 47221 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,bit.3xBackdoorconnection; content:"Raport|3A| serwer aktywny"; depth:22; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 6324 BACKDOOR 3xBackdoor runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228 trojan-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; content:"Connected to Server |3A|-|29|"; depth:23; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6325 BACKDOOR fucktrojan 1.2 runtime detection - initial connection megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 666 flow:to_server,established; content:"Flood"; nocase; flowbits:set,FuckTrojan_flood; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6326 BACKDOOR fucktrojan 1.2 runtime detection - flood trojan-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,FuckTrojan_flood; content:"Windows"; nocase; content:"Directory"; distance:0; nocase; content:"Flooded"; distance:0; nocase; pcre:"/Windows\s+Directory\s+Flooded/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6327 BACKDOOR fucktrojan 1.2 runtime detection - flood megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html trojan-activity tcp $EXTERNAL_NET 11000 -> $HOME_NET any flow:from_server,established; content:"Conectou"; depth:8; metadata:policy security-ips drop; classtype:trojan-activity; 6328 BACKDOOR commando runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 11000 flow:to_server,established; content:"Cliente |3A|"; flowbits:set,Commando; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6329 BACKDOOR commando runtime detection - chat client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368 trojan-activity tcp $EXTERNAL_NET 11000 -> $HOME_NET any flow:from_server,established; flowbits:isset,Commando; content:"Servidor |3A|"; metadata:policy security-ips drop; classtype:trojan-activity; 6330 BACKDOOR commando runtime detection - chat server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=MondoHack"; nocase; content:"fromemail="; nocase; content:"subject="; nocase; content:"body="; nocase; content:"to="; nocase; content:"send="; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6331 BACKDOOR globalkiller1.0 runtime detection - notification www.spywareguide.com/product_show.php?id=1656 trojan-activity tcp $HOME_NET 1255 -> $EXTERNAL_NET any flow:from_server,established; content:"Conectado"; depth:9; nocase; content:"Yeah!"; distance:0; nocase; pcre:"/^Conectado\s+Yeah\!/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6332 BACKDOOR globalkiller1.0 runtime detection - initial connection www.spywareguide.com/product_show.php?id=1656 trojan-activity tcp $HOME_NET 2583 -> $EXTERNAL_NET any flow:from_server,established; content:"WinCrash"; depth:8; nocase; content:"Server"; distance:0; nocase; pcre:"/^WinCrash\s+Server\s+\d+\x2E\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6333 BACKDOOR wincrash 2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453084089 trojan-activity tcp $HOME_NET 11831 -> $EXTERNAL_NET any flow:from_server,established; content:"BackLash Server"; depth:15; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6334 BACKDOOR backlash runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076823 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12624 flow:to_server,established; content:"*?!?"; depth:4; flowbits:set,buttman.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6335 BACKDOOR buttman v0.9p runtime detection - remote control - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720 trojan-activity tcp $HOME_NET 12624 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,buttman.1; content:"|23|+|0D 0A|"; metadata:policy security-ips alert; classtype:trojan-activity; 6336 BACKDOOR buttman v0.9p runtime detection - remote control www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 18713 flow:to_server,established; content:"[LOAD"; nocase; content:"DRIVE"; distance:0; nocase; content:"DATA]"; distance:0; nocase; pcre:"/^\[LOAD\s+DRIVE\s+DATA\]/smi"; flowbits:set,backdoor.HatredFriend.cts; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6337 BACKDOOR hatredfriend file manage command - set flowbit www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215 trojan-activity tcp $HOME_NET 18713 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.HatredFriend.cts; content:"[DRIVE"; nocase; content:"LIST]"; distance:0; nocase; pcre:"/\[DRIVE\s+LIST\]\d(\x00[a-zA-Z]\x3A(\s+\[.*\])?)+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6338 BACKDOOR hatredfriend file manage command www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"IP"; distance:0; nocase; content:"Contact"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"EBT"; distance:0; nocase; content:"Reporter"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Vic"; distance:0; nocase; content:"Ip"; distance:0; nocase; content:"Addy"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*IP\s+Contact.*X-Mailer\x3A[^\r\n]*EBT\s+Reporter.*Subject\x3A[^\r\n]*Vic\s+Ip\s+Addy/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6339 BACKDOOR hatredfriend email notification detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| "; nocase; content:"Handy Keylogger|3A|"; distance:0; nocase; content:"PRODUCED BY HANDY KEYLOGGER LOG PARSER"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 6340 SPYWARE-PUT Keylogger handy keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096599 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Spedia"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6341 SPYWARE-PUT Hijacker spediabar user-agent string detected www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/tz.cgi"; nocase; http_uri; content:"run="; nocase; http_uri; content:"Host|3A| spedia.net"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 6342 SPYWARE-PUT Hijacker spediabar runtime detection - info check www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"TSA/"; fast_pattern; nocase; http_header; content:"Ts2/"; nocase; http_header; content:"OS/"; nocase; http_header; content:"IE/"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?TSA\x2F[^\r\n]*?Ts2\x2F[^\r\n]*?OS\x2F[^\r\n]*?IE\x2F[^\r\n]*?CD\x2F[^\r\n]*?UID\x2F[^\r\n]*?AID\x2F/HsmiH"; metadata:policy security-ips alert; classtype:misc-activity; 6343 SPYWARE-PUT Adware targetsaver runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090707 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/speedbar/speedbarcfg.jsp"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Excite"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Excite/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6344 SPYWARE-PUT Adware excite search bar runtime detection - config www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tr.js"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"site=excite"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6345 SPYWARE-PUT Adware excite search bar runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/version/stationripper-getver"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6346 SPYWARE-PUT Adware stationripper update detection stationripper.com misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/minimall"; nocase; http_uri; content:"w="; nocase; http_uri; content:"h="; nocase; http_uri; content:"client="; nocase; http_uri; content:"noctxt="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http|3A|/www.stationripper.com/Portal/ad.htm"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6347 SPYWARE-PUT Adware stationripper ad display detection stationripper.com successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/engine"; fast_pattern; nocase; http_uri; content:"site="; nocase; http_uri; content:"page="; nocase; http_uri; content:"space="; nocase; http_uri; content:"size="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"domain="; nocase; http_uri; metadata:policy security-ips drop; classtype:successful-recon-limited; 6348 SPYWARE-PUT Snoopware zenosearch runtime detection www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FZENO%2EA misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/news.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.richfind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Erichfind\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6349 SPYWARE-PUT Hijacker richfind update detection www.f-secure.com/sw-desc/iehijacker_richfind.shtml misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"qq="; nocase; http_uri; content:"said=bar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"richfind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*richfind\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6350 SPYWARE-PUT Hijacker richfind auto search redirect detection www.f-secure.com/sw-desc/iehijacker_richfind.shtml misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/abho/chkupdate.abs"; fast_pattern; nocase; http_uri; content:"cv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6351 SPYWARE-PUT Hijacker adblock update detection www.spywareguide.com/product_show.php?id=48 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/abho/autosrch.abs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6352 SPYWARE-PUT Hijacker adblock auto search redirect detection www.spywareguide.com/product_show.php?id=48 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/iesearch.php"; fast_pattern; nocase; http_uri; content:"term="; nocase; http_uri; content:"Submit=Search"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*linkz\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6353 SPYWARE-PUT Hijacker adblock ie search assistant redirect detection www.spywareguide.com/product_show.php?id=48 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/simplesearch/update.asp"; fast_pattern; nocase; http_uri; content:"type="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"ProxyDown"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*ProxyDown/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6354 SPYWARE-PUT Trickler wsearch runtime detection - auto update www.zhongsou.com misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/zsmp3"; nocase; http_uri; content:"tps="; nocase; http_uri; content:"word="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"mp3.zhongsou.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*mp3\x2Ezhongsou\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6355 SPYWARE-PUT Trickler wsearch runtime detection - mp3 search www.zhongsou.com misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/desksearch.cgi"; nocase; http_uri; content:"tps="; nocase; http_uri; content:"word="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.zhongsou.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ezhongsou\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6356 SPYWARE-PUT Trickler wsearch runtime detection - desktop search www.zhongsou.com misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/speedbar/mySpeedbarCfg2.jsp"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Need2Find"; nocase; http_header; content:"Bar"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Need2Find\s+Bar/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6357 SPYWARE-PUT Hijacker need2find initial configuration detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096250 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/jsp/cfg_redir.jsp"; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/url=[^\r\n]*kl\x2Esearch\x2Eneed2find\x2Ecom/Ui"; metadata:policy security-ips alert; classtype:misc-activity; 6358 SPYWARE-PUT Hijacker need2find search query detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096250 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pm/start.asp"; nocase; http_uri; content:"pmver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6359 SPYWARE-PUT Adware altnet runtime detection - initial retrieval www.spywareremove.com/removeAltnet.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Peer"; nocase; http_header; content:"Points"; nocase; http_header; content:"Manager"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Peer\s+Points\s+Manager/smiH"; content:"Host|3A|"; nocase; http_header; content:"pm.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*pm\x2Ealtnet\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6360 SPYWARE-PUT Adware altnet runtime detection - update www.spywareremove.com/removeAltnet.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/backoffice.net/stats/Add.aspx"; fast_pattern; nocase; http_uri; content:"ST="; nocase; http_uri; content:"PN=Altnet"; nocase; http_uri; content:"AN=Altnet"; nocase; http_uri; content:"LN="; nocase; http_uri; content:"DN="; nocase; http_uri; content:"GR="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6361 SPYWARE-PUT Adware altnet runtime detection - status report www.spywareremove.com/removeAltnet.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"MGS-Internal-Web-Manager"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*MGS-Internal-Web-Manager/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6362 SPYWARE-PUT Hijacker microgaming runtime detection www.spywareremove.com/removeMicrogaming.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sacc/popup.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SAcc"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*SAcc/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6363 SPYWARE-PUT adware surfaccuracy runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094263 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"iMeshBar"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*iMeshBar/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6364 SPYWARE-PUT Hijacker imeshbar runtime detection www.file.net/process/imeshbar.dll.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"SecureNet"; nocase; http_header; content:"Xtra"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*SecureNet\s+Xtra/smiH"; pcre:"/^Host\x3A[^\r\n]*sonymusic\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6365 SPYWARE-PUT Other-Technologies sony rootkit runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"eAnthMngr"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*eAnthMngr/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6366 SPYWARE-PUT Trickler eacceleration downloadreceiver user-agent string detected www.spywareguide.com/product_show.php?id=398 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dlp_def/"; nocase; http_uri; content:"imod="; nocase; http_uri; content:"prod=scanner"; fast_pattern; nocase; http_uri; content:"lng="; nocase; http_uri; content:"geo="; nocase; http_uri; content:"ftid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"ui="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6367 SPYWARE-PUT Trickler eacceleration downloadreceiver runtime detection - stop-sign ads www.spywareguide.com/product_show.php?id=398 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/wsliveup/advisor/wsliveup.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"spybl.cyberdefender.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*spybl\x2Ecyberdefender\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6372 SPYWARE-PUT Trickler spyblocs eblocs detection - get wsliveup.dat www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/products/stbar/stbarpat.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6373 SPYWARE-PUT Trickler spyblocs eblocs detection - stbarpat.dat www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/products/spyblocs/"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/\x2Fproducts\x2Fspyblocs\x2F(spyblpat\d*\x2Edat\x2E\d+)|(spyblini\x2Eini)/UiH"; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6374 SPYWARE-PUT Trickler spyblocs eblocs detection - get spyblpat.dat/spyblini.ini www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cart11.html?affl="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eeblocs\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6375 SPYWARE-PUT Trickler spyblocs.eblocs detection - register request www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/srv/c"; nocase; http_uri; content:"i="; nocase; http_uri; content:"t="; nocase; http_uri; content:"v="; nocase; http_uri; content:"s="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"GirafaClient"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*GirafaClient/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6376 SPYWARE-PUT Hijacker girafa toolbar - toolbar update www.spywareguide.com/product_show.php?id=1135 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/srv/i?i="; fast_pattern; nocase; http_uri; content:"r=http"; nocase; http_uri; content:"m=srch"; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 6377 SPYWARE-PUT Hijacker girafa toolbar - browser hijack www.spywareguide.com/product_show.php?id=1135 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r/banner_iw_codigo_gtc.php"; fast_pattern; nocase; http_uri; content:"idrotador="; nocase; http_uri; content:"tamano="; nocase; http_uri; content:"iw_alternativo="; nocase; http_uri; content:"www.adbars.com"; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6378 SPYWARE-PUT Hijacker adbars runtime detection - homepage hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buscar.php?cadena="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.buscandoamigos.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ebuscandoamigos\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6379 SPYWARE-PUT Hijacker adbars runtime detection - search in toolbar www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data.asp"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.dotcomtoolbar.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Edotcomtoolbar\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6380 SPYWARE-PUT Hijacker dotcomtoolbar runtime detection - toolbar information retrieve www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"group=searchbar-web"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6381 SPYWARE-PUT Hijacker dotcomtoolbar runtime detection - search in toolbar www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/redirect.asp"; nocase; http_uri; content:"url="; nocase; http_uri; content:"linkid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"click.dotcomtoolbar.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*click\x2Edotcomtoolbar\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6382 SPYWARE-PUT Hijacker dotcomtoolbar runtime detection - url hook www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 15163 flow:to_server,established; content:"|04 00 00 00|"; depth:4; content:"|FF D8 FF E0 00 10|JFIF|00 01 01 00 00 00 00 00 00 00 FF DB 00|C|00 08 06 06 07 06 05 08 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C| |24|.' |22|,|23 1C 1C 28|7|29|,01444|1F|'9=82<.342|FF DB 00|C|01|"; distance:0; metadata:policy security-ips drop; classtype:successful-recon-limited; 6383 SPYWARE-PUT Keylogger stealthwatcher 2000 runtime detection - tcp connection setup www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982 successful-recon-limited udp $EXTERNAL_NET any -> $HOME_NET 15164 content:"|0A 02 08 FE 00|"; depth:5; offset:4; metadata:policy security-ips alert; classtype:successful-recon-limited; 6385 SPYWARE-PUT Keylogger stealthwatcher 2000 runtime detection - agent status monitoring www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982 successful-recon-limited udp $HOME_NET any -> $EXTERNAL_NET 15165 content:"|00 00 00 00 0A 02 08 A6|"; depth:8; content:"|02 00 00|v"; distance:0; metadata:policy security-ips alert; classtype:successful-recon-limited; 6386 SPYWARE-PUT Keylogger stealthwatcher 2000 runtime detection - agent up notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/query/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6387 SPYWARE-PUT Hijacker internet optimizer runtime detection - autosearch hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"js="; nocase; http_uri; content:"e=ERR404"; fast_pattern; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6388 SPYWARE-PUT Hijacker internet optimizer runtime detection - error page hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/exclusionlist/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"client.contextual.esyndicate.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*client\x2Econtextual\x2Eesyndicate\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6389 SPYWARE-PUT Adware esyndicate runtime detection - postinstall request www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/content/"; fast_pattern; nocase; http_uri; flowbits:set,eSyndicate.ads; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 6390 SPYWARE-PUT Adware esyndicate runtime detection - ads popup misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; flowbits:isset,eSyndicate.ads; content:"/ad/zadframe.esyn"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"aw="; nocase; http_uri; content:"ah="; nocase; http_uri; content:"dt="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6391 SPYWARE-PUT Adware esyndicate runtime detection - ads popup www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchbar/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.znext.com"; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 6392 SPYWARE-PUT Hijacker zeropopup runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075510 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"CodeguruBrowser"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*CodeguruBrowser\d+\x2E\d+/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6394 SPYWARE-PUT Hijacker adstart runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453088444 trojan-activity tcp $HOME_NET 16661 -> $EXTERNAL_NET any flow:from_server,established; content:"A-311 Death welcome"; depth:19; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6395 BACKDOOR a-311 death runtime detection - initial connection server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453076778 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"A-311 Server"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:trojan-activity; 6396 BACKDOOR a-311 death user-agent string detected www3.ca.com/securityadvisor/pest/pest.aspx?id=453076778 trojan-activity tcp $HOME_NET 80 -> $EXTERNAL_NET any flow:to_client,established; content:"<html><head><title>HTTP_RAT</title>"; nocase; content:"<h3>z0mbie's HTTP_RAT"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 6398 BACKDOOR http rat runtime detection - http www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:" rad "; depth:6; nocase; content:" >< "; distance:0; pcre:"/^\s\srad\s\d+\x2E\d+\x2E\d+\s\s\x3E\x3C/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6399 BACKDOOR rad 1.2.3 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453072457 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"DISK"; depth:4; nocase; flowbits:set,snowdoor_cts; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6400 BACKDOOR snowdoor runtime detection client-to-server www.megasecurity.org/trojans/s/snow/Snow1.3.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,snowdoor_cts; content:"DISK"; depth:4; nocase; pcre:"/^DISK[A-z][0-9]/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6401 BACKDOOR snowdoor runtime detection server-to-client www.megasecurity.org/trojans/s/snow/Snow1.3.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 4125 flow:to_server,established; content:"netangel"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6402 BACKDOOR netangel connection client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453086360 protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET [5800,5900:5999] flow:to_server,established; dsize:12; content:"RFB 003.00"; depth:10; content:!"3"; within:1; flowbits:set,vnc.handshake.client; flowbits:set,vnc.traffic; flowbits:noalert; classtype:protocol-command-decode; 6469 EXPLOIT RealVNC connection attempt protocol-command-decode tcp $HOME_NET [5800,5900:5999] -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,vnc.handshake.client; flowbits:unset,vnc.handshake.client; pcre:"/^[^\x00][^\x00\x01]+$/"; flowbits:set,vnc.server.auth.types; flowbits:noalert; classtype:protocol-command-decode; 6470 EXPLOIT RealVNC authentication types without None type sent attempt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 2115 flow:to_server,established; content:"CURDIR|0D|"; depth:7; nocase; flowbits:set,Bugs_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6472 BACKDOOR bugs runtime detection - file manager client-to-server www.commodon.com/threat/threat-bugs.htm trojan-activity tcp $HOME_NET 2115 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Bugs_InitConnection; content:"CURDIR "; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6473 BACKDOOR bugs runtime detection - file manager server-to-client www.commodon.com/threat/threat-bugs.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/synctl/ping.pl"; fast_pattern; nocase; http_uri; content:"ip="; nocase; http_uri; content:"speed="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 6474 BACKDOOR w32.loosky.gen@mm runtime detection - notification www.sophos.com/virusinfo/analyses/w32looskyl.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"badratpass"; depth:10; nocase; flowbits:set,backdoor.badrat.1.1.conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6475 BACKDOOR badrat 1.1 runtime detection - flowbit set www.megasecurity.org/trojans/b/badrat/Badrat1.1.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.badrat.1.1.conn; content:"okpass"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 6476 BACKDOOR badrat 1.1 runtime detection www.megasecurity.org/trojans/b/badrat/Badrat1.1.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.searchingall.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Toolbar.*?Host\x3A[^\r\n]*www\x2Esearchingall\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 6478 SPYWARE-PUT Trackware searchingall toolbar runtime detection - send user url request www3.ca.com/securityadvisor/pest/pest.aspx?id=453097487 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/e.aspx"; nocase; content:"ver="; nocase; content:"host="; nocase; content:"Host|3A|"; nocase; http_header; content:"www.ZSearchResults.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2EZSearchResults\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 6479 SPYWARE-PUT Snoopware totalvelocity zsearch runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453083031 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/hpt/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.e-finder.cc"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ee-finder\x2Ecc/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6480 SPYWARE-PUT Hijacker cws.cameup runtime detection - home page www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchtb.php?q="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"fast-look.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*fast-look\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6481 SPYWARE-PUT Hijacker cws.cameup runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/get/"; nocase; http_uri; content:"pv="; nocase; http_uri; content:"iv="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A| toolbarplace.com"; metadata:policy security-ips alert; classtype:misc-activity; 6482 SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - get info www.spywaredetails.com/index.php?a=spyware&act=read&id=1607 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"said="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.vip-se.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Evip-se\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6483 SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - home page hijacker www.spywaredetails.com/index.php?a=spyware&act=read&id=1607 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"said="; nocase; http_uri; content:"qq="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.makemesearch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emakemesearch\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6484 SPYWARE-PUT Hijacker makemesearch toolbar runtime detection - search www.spywaredetails.com/index.php?a=spyware&act=read&id=1607 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/sbartb0300.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"acez"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*acez/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6487 SPYWARE-PUT Adware searchnugget toolbar runtime detection - check updates www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/error.php"; nocase; http_uri; content:"type="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnugget"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*searchnugget/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6488 SPYWARE-PUT Adware searchnugget toolbar runtime detection - redirect mistyped urls www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/hp/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.webcruiser.cc"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ewebcruiser\x2Ecc/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6489 SPYWARE-PUT Hijacker analyze IE runtime detection - default page hijacker www.spywaredetails.com/index.php?a=spyware&act=read&id=1680 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"snprtz|7C|dialno"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.otherchance.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*snprtz\x7Cdialno.*Host\x3A[^\r\n]*www\x2Eotherchance\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6490 SPYWARE-PUT Dialer yeaknet runtime detection - home page hijacker www.spywareguide.com/product_show.php?id=2446 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ccRandom/"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"snprtz|7C|dialno"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"linkautomatici.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*snprtz\x7Cdialno.*Host\x3A[^\r\n]*linkautomatici\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6491 SPYWARE-PUT Dialer yeaknet runtime detection - post-installation www.spywareguide.com/product_show.php?id=2446 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bsrv.php"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"socksport="; fast_pattern; nocase; http_uri; content:"httpport="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 6492 SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - notification vil.mcafeesecurity.com/vil/content/v_138750.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dat7.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"xpsp2"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"lifeisfine.org"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*xpsp2-\d+.*Host\x3A[^\r\n]*lifeisfine\x2Eorg/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6493 SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - post data vil.mcafeesecurity.com/vil/content/v_138750.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mbop/display.php3"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"yourenhancement.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*yourenhancement\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6494 SPYWARE-PUT Adware yourenhancement runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097585 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/trial.php"; fast_pattern; nocase; http_uri; content:"rest="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"httphost"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*httphost/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 6495 SPYWARE-PUT Hijacker troj_spywad.x runtime detection www.sophos.com/virusinfo/analyses/trojspywadi.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/advertpro/servlet/view/dynamic/html/campaign"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.top-banners.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*media\x2Etop-banners\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 6496 SPYWARE-PUT Adware adpowerzone runtime detection www.spywareguide.com/product_show.php?id=1299 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 21554 flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,backdoor.exploiter.1.0.conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 6497 BACKDOOR exploiter 1.0 runtime detection www.spywareguide.com/product_show.php?id=1603 trojan-activity tcp $HOME_NET 21554 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.exploiter.1.0.conn; content:"Exploiter"; depth:9; nocase; content:"Server"; distance:0; nocase; content:"Port"; distance:0; nocase; pcre:"/^Exploiter\s+Server\s+\d+\x2E\d+\s+\x2E\s+Port\s+\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 6498 BACKDOOR exploiter 1.0 runtime detection www.spywareguide.com/product_show.php?id=1603 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"RequestName|7C|"; depth:12; nocase; flowbits:set,Omerta_1_3_conn_1; flowbits:noalert; classtype:trojan-activity; 6499 BACKDOOR omerta 1.3 runtime detection www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html protocol-command-decode tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"|89|PNG|0D 0A 1A 0A|"; flowbits:set,http.client.png; flowbits:noalert; metadata:policy security-ips drop; classtype:protocol-command-decode; 6688 WEB-CLIENT PNG file transfer 18385 attempted-user 2006-0025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.client.png; content:"sBIT"; byte_test:4,>,3000,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6691 WEB-CLIENT Malformed PNG detected sBIT overflow attempt www.microsoft.com/technet/security/bulletin/ms06-024.mspx 18385 attempted-user 2006-0025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.client.png; content:"bkGD"; byte_test:4,>,3000,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6693 WEB-CLIENT Malformed PNG detected bKGD overflow attempt www.microsoft.com/technet/security/bulletin/ms06-024.mspx 18385 attempted-user 2006-0025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.client.png; content:"hIST"; byte_test:4,>,3000,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6694 WEB-CLIENT Malformed PNG detected hIST overflow attempt www.microsoft.com/technet/security/bulletin/ms06-024.mspx 18385 attempted-user 2006-0025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.client.png; content:"tRNS"; byte_test:4,>,3000,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6695 WEB-CLIENT Malformed PNG detected tRNS overflow attempt www.microsoft.com/technet/security/bulletin/ms06-024.mspx 18385 attempted-user 2006-0025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.client.png; content:"pHYs"; byte_test:4,>,3000,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6696 WEB-CLIENT Malformed PNG detected pHYs overflow attempt www.microsoft.com/technet/security/bulletin/ms06-024.mspx 18385 attempted-user 2006-0025 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,http.client.png; content:"tIME"; byte_test:4,>,3000,-8,relative; metadata:policy security-ips drop; classtype:attempted-user; 6698 WEB-CLIENT Malformed PNG detected tIME overflow attempt www.microsoft.com/technet/security/bulletin/ms06-024.mspx 18838 denial-of-service 2006-3351 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"[InternetShortcut]"; within:100; nocase; content:"url="; distance:0; nocase; content:"file|3A|file|3A|file|3A|"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:denial-of-service; 7022 WEB-CLIENT windows explorer invalid url file overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/uniq1.php"; nocase; http_uri; content:"exp="; nocase; http_uri; content:"adv="; nocase; http_uri; content:"code1="; nocase; http_uri; content:"code2="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"1-extreme.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*1\-extreme\x2Ebiz/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7049 SPYWARE-PUT Hijacker extreme biz runtime detection - uniq1 vil.nai.com/vil/content/v_139122.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| FCTB1"; fast_pattern; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 7050 SPYWARE-PUT Hijacker freecruise toolbar runtime detection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/newsys/options.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"i-femdom.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*i\-femdom\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7051 SPYWARE-PUT Trickler generic downloader.g runtime detection - spyware injection vil.mcafeesecurity.com/vil/content/v_128719.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"adv="; nocase; http_uri; content:"ads="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.topadwarereviews.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Etopadwarereviews\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7052 SPYWARE-PUT Trickler generic downloader.g runtime detection - adv vil.mcafeesecurity.com/vil/content/v_128719.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/whois.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cache.everer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*cache\x2Eeverer\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7053 SPYWARE-PUT Adware webredir runtime detection castlecops.com/tk1907-pxwma_dll.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/b/info.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ccecaedbebfcaf.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*ccecaedbebfcaf\x2Ecom.*?uuid=.*?wv=.*?cargo=.*?check=/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7054 SPYWARE-PUT Trickler download arq variant runtime detection vil.nai.com/vil/content/v_137359.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/progs/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"vip01.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*vip01\x2Ebiz/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7055 SPYWARE-PUT Hijacker vip01 biz runtime detection - adv forums.maddoktor2.com/index.php?showtopic=3601 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"SI|7C|Server|7C|"; depth:10; nocase; pcre:"/^SI\|Server\|[^\r\n]*\|\d+\x2E\d+\x2E\d+\x2E\d+\|/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7057 BACKDOOR charon runtime detection - initial connection vil.nai.com/vil/content/v_138997.htm trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"REQ|7C|"; depth:4; nocase; pcre:"/^REQ\|[A-Z]\x3A\x5C/smi"; flowbits:set,charon_download_1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7058 BACKDOOR charon runtime detection - download file flowbit 1 vil.nai.com/vil/content/v_138997.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,charon_download_1; content:"FREQ|7C|"; depth:5; nocase; pcre:"/^FREQ\x7C\d+/smi"; flowbits:set,charon_download_2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7059 BACKDOOR charon runtime detection - download file/log flowbit 2 vil.nai.com/vil/content/v_138997.htm trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; flowbits:isset,charon_download_2; content:"SEND|7C|"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7060 BACKDOOR charon runtime detection - download file/log vil.nai.com/vil/content/v_138997.htm trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"REQ|7C 24|SYS|24|proc32.dll"; depth:19; nocase; flowbits:set,charon_download_1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7061 BACKDOOR charon runtime detection - download log flowbit 1 vil.nai.com/vil/content/v_138997.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"from|3A|"; nocase; content:"cyber@yahoo.com"; distance:0; nocase; content:"subject|3A|"; nocase; content:"notification"; distance:0; nocase; pcre:"/^from\x3A[^\r\n]*cyber@yahoo\x2Ecom.*subject\x3A[^\r\n]*notification\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7064 BACKDOOR cybernetic 1.62 runtime detection - email notification research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"DmInf"; depth:5; nocase; flowbits:set,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7065 BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1 research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.1; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\^[^\r\n]*\^\d+\x2E\d+\x2E\d+\x2E\d+\^/smi"; flowbits:set,backdoor.cybernetic.1.62.rev.conn.2; flowbits:unset,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7066 BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1 research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.2; content:"connect"; depth:7; nocase; flowbits:unset,backdoor.cybernetic.1.62.rev.conn.2; metadata:policy security-ips drop; classtype:trojan-activity; 7067 BACKDOOR cybernetic 1.62 runtime detection - reverse connection research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745 trojan-activity udp $HOME_NET 47262 -> $EXTERNAL_NET any flow:to_client; content:"Delta"; depth:5; nocase; content:"Source"; distance:0; nocase; pcre:"/^Delta\s+Source\s+\d+\x2E\d+/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 7068 BACKDOOR delta source 0.5 beta runtime detection - ping www.spywareguide.com/product_show.php?id=840 trojan-activity udp $HOME_NET 47262 -> $EXTERNAL_NET any flow:to_client; content:"Server"; depth:6; nocase; content:"info|3A|"; distance:0; nocase; content:"Delta"; distance:0; nocase; content:"Source"; distance:0; nocase; pcre:"/^Server\s+info\x3A\x0D\x0ADelta\s+Source\s+v\d+\x2E\d+/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 7069 BACKDOOR delta source 0.5 beta runtime detection - pc info www.spywareguide.com/product_show.php?id=840 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.fraggle.rock.2.0.lite.pc.info; content:"info"; depth:4; nocase; content:"Information"; distance:0; nocase; pcre:"/^info\s+Information\s+for/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7072 BACKDOOR fraggle rock 2.0 lite runtime detection - pc info www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/admin/logger.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"machineid="; nocase; http_uri; content:"connection="; nocase; http_uri; content:"iplan="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"backtrust.com"; nocase; http_header; metadata:policy security-ips drop; classtype:trojan-activity; 7073 BACKDOOR w32.dumaru.gen@mm runtime detection - notification www.vil.mcafeesecurity.com/vil/content/v_125643.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/admin/socks/bot/cmd.txt"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"backtrust.com"; nocase; http_header; metadata:policy security-ips alert; classtype:trojan-activity; 7074 BACKDOOR w32.dumaru.gen@mm runtime detection - cmd www.vil.mcafeesecurity.com/vil/content/v_125643.htm trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"&first& "; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7075 BACKDOOR bandook 1.0 runtime detection www.nuclearwinter.us/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/friendship/email_thank_you"; nocase; http_uri; content:"failed_url="; nocase; http_uri; content:"folder_id="; nocase; http_uri; content:"extra_params_counte="; nocase; http_uri; content:"nick_name="; nocase; http_uri; content:"user_email="; nocase; http_uri; content:"user_uin="; nocase; http_uri; content:"friend_nickname="; nocase; http_uri; content:"friend_contact="; nocase; http_uri; content:"friend_conta"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"http"; nocase; http_header; content:"protocol"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*http\s+protocol/smiH"; metadata:policy security-ips drop; classtype:trojan-activity; 7077 BACKDOOR minimo v0.6 runtime detection - icq notification trojan-activity tcp $EXTERNAL_NET 10015 -> $HOME_NET any flow:from_server,established; content:"BOF"; depth:3; nocase; pcre:"/^BOF[a-z]\x3A\x5C/smi"; flowbits:set,up_run_1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7078 BACKDOOR up and run v1.0 beta runtime detection flowbit 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 10015 flow:to_server,established; flowbits:isset,up_run_1; content:"NEXT"; depth:4; nocase; flowbits:set,up_run_2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7079 BACKDOOR up and run v1.0 beta runtime detection flowbit 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 10015 flow:to_server,established; flowbits:isset,up_run_2; content:"NEXT"; nocase; flowbits:set,up_run_3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7080 BACKDOOR up and run v1.0 beta runtime detection flowbit 3 www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330 trojan-activity tcp $EXTERNAL_NET 10015 -> $HOME_NET any flow:from_server,established; flowbits:isset,up_run_3; content:"EOF"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7081 BACKDOOR up and run v1.0 beta runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; content:"KEY="; depth:4; nocase; content:"Nickname="; distance:0; nocase; pcre:"/^KEY=[^\s]*\s+Nickname=/smi"; flowbits:set,MoSucker3_0; flowbits:noalert; classtype:trojan-activity; 7082 BACKDOOR mosucker3.0 runtime detection - client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782 trojan-activity tcp $EXTERNAL_NET 62358 -> $HOME_NET any flow:from_server,established; content:"Erazer"; depth:6; nocase; content:"SIN"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^Erazer\s+SIN\s+Server/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7084 BACKDOOR erazer v1.1 runtime detection - sin notification www.megasecurity.org/trojans/e/erazer/Erazer1.1.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"000, Checking..."; depth:16; nocase; flowbits:set,Erazer_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7085 BACKDOOR erazer v1.1 runtime detection www.megasecurity.org/trojans/e/erazer/Erazer1.1.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,Erazer_InitConnection; content:"000Ok"; depth:5; nocase; content:"echter"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/^000Ok\s+echter\s+server\s+\?/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7086 BACKDOOR erazer v1.1 runtime detection - init connection www.megasecurity.org/trojans/e/erazer/Erazer1.1.html trojan-activity tcp $HOME_NET 5555 -> $EXTERNAL_NET any flow:from_server,established; content:"ServeMe 1.x"; depth:11; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7091 BACKDOOR serveme runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453081036 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1480 flow:to_server,established; content:"logon|7C|"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7096 BACKDOOR remote hack 1.5 runtime detection - logon www.spywareguide.com/product_show.php?id=1523 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1480 flow:to_server,established; content:"executafile|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7097 BACKDOOR remote hack 1.5 runtime detection - execute file www.spywareguide.com/product_show.php?id=1523 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1480 flow:to_server,established; content:"kstart|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7099 BACKDOOR remote hack 1.5 runtime detection - start keylogger www.spywareguide.com/product_show.php?id=1523 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"|01 0A 02|"; depth:3; flowbits:set,GWBoy_InitConnection1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7101 BACKDOOR gwboy 0.92 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,GWBoy_InitConnection1; dsize:<50; content:"|02 01 03 05|"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; 7103 BACKDOOR gwboy 0.92 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 30029 flow:to_server,established; content:"INFO"; depth:4; nocase; flowbits:set,AOLAdmin1.1.connection; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7104 BACKDOOR aol admin runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=313 trojan-activity tcp $HOME_NET 30029 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AOLAdmin1.1.connection; content:"AOL Admin Server 1.1 By CHeeSeR"; depth:31; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7105 BACKDOOR aol admin runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=313 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 21554 flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,GirlFriend.1.35.connection; flowbits:noalert; classtype:trojan-activity; 7106 BACKDOOR girlfriend runtime detection www.spywareguide.com/product_show.php?id=834 trojan-activity tcp $HOME_NET 777 -> $EXTERNAL_NET any flow:from_server,established; content:"STLUdt v3.3 - "; depth:14; nocase; content:"-|28|udt33vic|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7108 BACKDOOR undetected runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=17265 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,backdoor.fearless.runtime; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7111 BACKDOOR fearless lite 1.01 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.fearless.runtime; content:"Pass-On0"; depth:8; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7112 BACKDOOR fearless lite 1.01 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 23476 flow:to_server,established; content:"1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:19; nocase; flowbits:set,backdoor.donalddick.1.5.b.3.conn; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7113 BACKDOOR donalddick v1.5b3 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=1720 trojan-activity tcp $HOME_NET 23476 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.donalddick.1.5.b.3.conn; content:"OK|00|1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:22; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7114 BACKDOOR donalddick v1.5b3 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=1720 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"ver|3A|Ghost version "; depth:18; nocase; content:"server"; distance:0; nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7115 BACKDOOR ghost 2.3 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=42053 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 7116 BACKDOOR y3k 1.2 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=33151 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ipwHTTP"; nocase; http_header; content:"devSoft"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*devSoft\x27s\s+ipwHTTP\s+Component/smiH"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 7118 BACKDOOR y3k 1.2 runtime detection - user-agent string detected www3.ca.com/securityadvisor/pest/pest.aspx?id=33151 trojan-activity udp $EXTERNAL_NET 5881 -> $HOME_NET 5882 flow:to_server; content:"Y3K"; depth:3; nocase; flowbits:set,Y3K_InitConnection_1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7119 BACKDOOR y3k 1.2 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=33151 trojan-activity udp $HOME_NET 5882 -> $EXTERNAL_NET 5881 flow:to_client; flowbits:isset,Y3K_InitConnection_1; content:"C"; depth:1; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7120 BACKDOOR y3k 1.2 runtime detection - init connection 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=33151 trojan-activity udp $EXTERNAL_NET 5887 -> $HOME_NET 5888 flow:to_server; content:"login"; depth:5; nocase; flowbits:set,Y3K_InitConnection_2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7121 BACKDOOR y3k 1.2 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=33151 trojan-activity udp $HOME_NET 5888 -> $EXTERNAL_NET 5887 flow:to_client; flowbits:isset,Y3K_InitConnection_2; content:"{}"; depth:2; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7122 BACKDOOR y3k 1.2 runtime detection - init connection 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=33151 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates/update.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7123 SPYWARE-PUT Other-Technologies alfacleaner runtime detection - update www.spywareguide.com/product_show.php?id=2733 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.dhtml"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"sub="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7124 SPYWARE-PUT Other-Technologies alfacleaner runtime detection - buy www.spywareguide.com/product_show.php?id=2733 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/progs_exe/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"traffbest.biz"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*traffbest\x2Ebiz/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7125 SPYWARE-PUT Hijacker traffbest biz runtime detection - adv forums.maddoktor2.com/index.php?showtopic=3601 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 80 flow:to_server,established; content:"/devrandom/r.php"; nocase; http_uri; content:"Host|3A| jupitersatellites.biz"; metadata:policy security-ips drop; classtype:misc-activity; 7126 SPYWARE-PUT Hijacker trojan proxy atiup runtime detection - notification vil.nai.com/vil/content/v_137129.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"t.php"; nocase; http_uri; content:"sc_project="; fast_pattern; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; pcre:"/u=[^\r\n]*www.wowokay.com/Ui"; metadata:policy security-ips drop; classtype:misc-activity; 7127 SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - tracking www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mb/text_group.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"col="; nocase; http_uri; content:"br="; nocase; http_uri; content:"dk="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.wowokay.com/wowokaybar.php"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom/wowokaybar\x2Ephp/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7128 SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - advertising 1 www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ea.exe"; nocase; http_uri; content:"sb"; nocase; http_uri; content:"joelesoftware"; nocase; http_uri; content:"01"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.wowokay.com/wowokaybar.php"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*www\x2Ewowokay\x2Ecom/wowokaybar\x2Ephp/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7129 SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - advertising 2 www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?s="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.weepee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eweepee\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7130 SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - search assissant hijacking www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"IEP"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"drsnsrch.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*IEP/smiH"; pcre:"/^Host\x3A[^\r\n]*drsnsrch\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7135 SPYWARE-PUT Hijacker dsrch runtime detection - config info retrieval www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/url.cgi"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"badurl.grandstreetinteractive.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*badurl\x2Egrandstreetinteractive\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7136 SPYWARE-PUT Hijacker dsrch runtime detection - search assistant redirect www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sidesearch/sidesearch.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"websearch.drsnsrch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*websearch\x2Edrsnsrch\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7137 SPYWARE-PUT Hijacker dsrch runtime detection - side search redirect www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xversion.php"; nocase; http_uri; content:"version="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"click="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"loomcompany.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*loomcompany\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7138 SPYWARE-PUT Other-Technologies clicktrojan runtime detection - version check sunbeltblog.blogspot.com/2006/01/seen-in-wild-new-pay-per-click-fraud.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"aid="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchadv.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchadv\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7139 SPYWARE-PUT Other-Technologies clicktrojan runtime detection - fake search query sunbeltblog.blogspot.com/2006/01/seen-in-wild-new-pay-per-click-fraud.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/rb/cout.cgi"; http_uri; content:"Host|3A|"; nocase; http_header; content:"ppcdomain.co.uk"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*ppcdomain\x2Eco\x2Euk/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7140 SPYWARE-PUT Adware pay-per-click runtime detection - configuration ppcdomain.co.uk misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/1.hta"; http_uri; content:"Host|3A|"; nocase; http_header; content:"dimattic.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dimattic\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7141 SPYWARE-PUT Adware pay-per-click runtime detection - update ppcdomain.co.uk misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mbop/index.php3"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.digink.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control\s+-/smiH"; pcre:"/^Host\x3A\s+www\x2Edigink\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7143 SPYWARE-PUT Adware digink.com runtime detection www.techsupportforum.com/archive/index.php/t-46308.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/_other/dll/blank8.pac"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"Test"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WinInet\s+Test/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7144 SPYWARE-PUT Hijacker cool search runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453079768 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin5/repeaterm2.fcgi"; fast_pattern; nocase; http_uri; content:"n="; nocase; http_uri; content:"lastid="; nocase; http_uri; content:"r="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"adfsgecoiwnf"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*adfsgecoiwnf/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7145 SPYWARE-PUT Other-Technologies spam maxy runtime detection vil.mcafeesecurity.com/vil/content/v_136735.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"Days"; nocase; content:"Hours"; distance:0; nocase; content:"Minutes"; distance:0; nocase; content:"Seconds"; distance:0; nocase; pcre:"/^0[^\r\n]*Days[^\r\n]*Hours[^\r\n]*Minutes[^\r\n]*Seconds\-[^\r\n]*\|\d+\-[^\r\n]*\-\|/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7146 SPYWARE-PUT Hacker-Tool sars notifier runtime detection - sin notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/whitepages/page_me/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; content:"from="; nocase; http_uri; content:"fromemail="; nocase; http_uri; content:"body="; nocase; http_uri; pcre:"/body\=\x7BIP\x3A[^\x7B\r\n]*\x7D\x7BOS\x3A[^\x7B\r\n]*\x7D\x7BSysuptime\x3A[^\x7B\r\n]*\x7D\x7BTrojan\x3A[^\x7B\r\n]*\x7D\x7BPort\x3A[^\x7B\r\n]*\x7D\x7BPassword\x3A[^\x7B\r\n]*\x7D\x7BUser\x3A/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7147 SPYWARE-PUT Hacker-Tool sars notifier runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 6667 flow:to_server,established; content:"{IP}"; nocase; content:"{OS}"; distance:0; nocase; content:"{Uptime}"; distance:0; nocase; content:"{Trojan}"; distance:0; nocase; content:"{PSW}"; distance:0; nocase; content:"{Port}"; distance:0; nocase; content:"{User}"; nocase; pcre:"/\x7BIP\x7D[^\x7D\r\n]*\x7BOS\x7D[^\x7D\r\n]*\x7BUptime\x7D[^\x7D\r\n]*\x7BTrojan\x7D[^\x7D\r\n]*\x7BPSW\x7D[^\x7D\r\n]*\x7BPort\x7D[^\x7D\r\n]*\x7BUser\x7D/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7150 SPYWARE-PUT Hacker-Tool sars notifier runtime detection - irc notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294 misc-activity udp $HOME_NET any -> $EXTERNAL_NET 135 flow:to_server; content:"NUCLEAR-NOTIFY"; nocase; content:"IP|3A|"; distance:0; nocase; content:"OS|3A|"; distance:0; nocase; content:"Sysuptime|3A|"; distance:0; nocase; content:"Trojan|3A|"; distance:0; nocase; content:"Port|3A|"; distance:0; nocase; content:"Password|3A|"; distance:0; nocase; content:"User|3A|"; distance:0; nocase; pcre:"/IP\x3A\s+[^\r\n]*\x0d\x0aOS\x3A\s+[^\r\n]*\x0d\x0aSysuptime\x3A\s+[^\r\n]*\x0d\x0aTrojan\x3A\s+[^\r\n]*\x0d\x0aPort\x3A\s+[^\r\n]*\x0d\x0aPassword\x3A\s+[^\r\n]*\x0d\x0aUser\x3A\s+/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7151 SPYWARE-PUT Hacker-Tool sars notifier runtime detection - net send notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download/CnsMinM.ini"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7152 SPYWARE-PUT Hijacker cnsmin 3721 runtime detection - installation www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cns.dll"; nocase; http_uri; content:"coagent="; nocase; http_uri; content:"3721cnsmin"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7153 SPYWARE-PUT Hijacker cnsmin 3721 runtime detection - hijacking www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Active"; nocase; content:"Keylogger"; distance:0; nocase; content:"Home"; distance:0; nocase; content:"Report"; distance:0; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 7154 SPYWARE-PUT Keylogger active keylogger home runtime detection www.spywareguide.com/product_show.php?id=1720 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sresult.aspx"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.emp3finder.com"; nocase; http_header; content:"txtSearch="; nocase; content:"mp3s="; nocase; pcre:"/^Host\x3A\s+www\x2Eemp3finder\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7155 SPYWARE-PUT Trickler jubster runtime detection freeware4pc.com/multimedia/jubster.shtml successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"_ANSMTP_"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"LOG"; distance:0; nocase; content:"FILE"; distance:0; nocase; content:"Current"; distance:0; nocase; content:"User|3A|"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*_\d+_ANSMTP_\d+_.*Subject\x3A[^\r\n]*LOG\s+FILE\s+Current\s+User\x3A/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7156 SPYWARE-PUT Keylogger win-spy runtime detection - email delivery www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 10050 flow:to_server,established; content:"/CLUserName|18|Password|16|"; depth:21; nocase; flowbits:set,winspy_conn_client-to-server; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7157 SPYWARE-PUT Keylogger win-spy runtime detection - remote conn client-to-server www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $HOME_NET 10050 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,winspy_conn_client-to-server; content:"/CK|16|"; depth:4; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 7158 SPYWARE-PUT Keylogger win-spy runtime detection - remote conn server-to-client www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 10050 flow:to_server,established; content:"/CU"; nocase; content:"True"; distance:0; nocase; pcre:"/\x2FCU[^\r\n]*\x18\d+\x18True\x18\x16/smi"; flowbits:set,winspy_upload_client-to-server; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7159 SPYWARE-PUT Keylogger win-spy runtime detection - upload file client-to-server www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $HOME_NET 10050 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,winspy_upload_client-to-server; content:"/CK|16|"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 7160 SPYWARE-PUT Keylogger win-spy runtime detection - upload file server-to-client www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 10050 flow:to_server,established; content:"/CD"; fast_pattern:only; pcre:"/\x2FCD[^\r\n]*\x18\x16/smi"; flowbits:set,winspy_download_client-to-server; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7161 SPYWARE-PUT Keylogger win-spy runtime detection - download file client-to-server www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $HOME_NET 10050 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,winspy_download_client-to-server; content:"/CU"; fast_pattern:only; pcre:"/\x2FCU[^\r\n]*\x18\d+\x18\x16/smi"; flowbits:unset,winspy_download_client-to-server; metadata:policy security-ips drop; classtype:successful-recon-limited; 7162 SPYWARE-PUT Keylogger win-spy runtime detection - download file server-to-client www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 10050 flow:to_server,established; content:"/RF"; fast_pattern:only; pcre:"/\x2FRF[^\r\n]*\x16/smi"; flowbits:set,winspy_execute_client-to-server; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7163 SPYWARE-PUT Keylogger win-spy runtime detection - execute file client-to-server www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $HOME_NET 10050 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,winspy_execute_client-to-server; content:"/RF|16|"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 7164 SPYWARE-PUT Keylogger win-spy runtime detection - execute file server-to-client www.spywareguide.com/product_show.php?id=715 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 868 flow:to_server,established; content:"Send me the logs, please"; flowbits:set,ABSystemSpy_LogRetrieve; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7175 SPYWARE-PUT Keylogger ab system spy runtime detection - log retrieve www.spywareguide.com/product_show.php?id=591 successful-recon-limited tcp $HOME_NET 868 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,ABSystemSpy_LogRetrieve; content:"FILEINFO|7C|"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7176 SPYWARE-PUT Keylogger ab system spy runtime detection - log retrieve www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"<logs@dummyserver.com>"; distance:0; content:"Subject|3A|"; nocase; content:"Logs"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"Built-in Mail"; distance:0; nocase; metadata:policy security-ips alert; classtype:successful-recon-limited; 7177 SPYWARE-PUT Keylogger ab system spy runtime detection - info send through email www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|FE FE FE FE|90|00 00|"; depth:8; content:"Private"; distance:0; nocase; content:"Server,"; distance:0; nocase; content:"Login"; distance:0; nocase; content:"Required"; distance:0; nocase; flowbits:set,DesktopDetective_InitConnection1; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7178 SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - init connection successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,DesktopDetective_InitConnection1; content:"|FE FE FE FE 00 00 00 00|"; depth:8; content:"DDController"; distance:0; nocase; flowbits:set,DesktopDetective_InitConnection2; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7179 SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - init connection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,DesktopDetective_InitConnection2; content:"|FE FE FE FE|90|00 00|"; fast_pattern:only; metadata:policy security-ips alert; classtype:successful-recon-limited; 7180 SPYWARE-PUT Keylogger desktop detective 2000 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453060318 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Barok.... PSWRD Sender Trojan"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"Barok... email PSWRD sender--- by|3A| spyder"; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 7183 SPYWARE-PUT Snoopware barok runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075534 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"filename="; nocase; content:"zip"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*?\x2D\d+\x5F\d+\x5F\d+\x2D\d+\x5F\d+\x5F\d+\s+[AP]M\x2Ezip/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7186 SPYWARE-PUT Keylogger kgb Keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096494 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"SAH Agent"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\s*\x3A[^\r\n]*SAH Agent/miH"; metadata:policy security-ips drop, service http; classtype:successful-recon-limited; 7187 SPYWARE-PUT Trackware shopathome user-agent detected www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/frameset.asp?"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:policy security-ips drop; classtype:successful-recon-limited; 7188 SPYWARE-PUT Hijacker shop at home select - merchant redirect in progress www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/setcookie.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"s="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"discounts.shopathome.com/frameset.asp?"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fdiscounts\x2Eshopathome\x2Ecom\x2Fframeset\x2Easp\?/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7189 SPYWARE-PUT Trackware shopathome runtime detection - setcookie request www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"?hostfile="; depth:20; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:policy security-ips alert, service http; classtype:misc-activity; 7190 SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - host retrieval www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 80 flow:to_server,established; content:"/."; nocase; http_uri; content:"urlfile="; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7191 SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - url retrieval www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 80 flow:to_server,established; content:"/rd/feed/XMLFeed.jsp"; fast_pattern; nocase; http_uri; content:"trackID="; nocase; http_uri; content:"pID="; nocase; http_uri; content:"cat="; nocase; http_uri; content:"nl="; nocase; http_uri; content:"page="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"excID="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7192 SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - sponsor selection www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 80 flow:to_server,established; content:"/index-tfc.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"trustyfiles"; nocase; http_header; content:"com"; nocase; http_header; pcre:"/^Host|3A|[^\r\n]*trustyfiles\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7193 SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - startup access www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cs/cs.aspx?"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cs.shopperreports.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*cs\x2Eshopperreports\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7194 SPYWARE-PUT Hijacker shopprreports runtime detection - services requests vil.mcafeesecurity.com/vil/content/v_133312.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"shprrprt-cs-"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*shprrprt-cs-\d+\x2E\d+\x2E\d+/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7195 SPYWARE-PUT Hijacker shopprreports runtime detection - track/upgrade/report activities vil.mcafeesecurity.com/vil/content/v_133312.htm misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 10607 flow:to_server,established; content:"Hello"; depth:5; flowbits:set,coma.1; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 7506 SPYWARE-PUT Hacker-Tool coma runtime detection - init connection - flowbit set misc-activity tcp $HOME_NET 10607 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,coma.1; content:"COMA Server Version"; depth:19; metadata:policy security-ips drop; classtype:misc-activity; 7507 SPYWARE-PUT Hacker-Tool coma runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090795 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 10607 flow:to_server,established; content:"Ping"; depth:4; flowbits:set,coma.2; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 7508 SPYWARE-PUT Hacker-Tool coma runtime detection - ping - flowbit set misc-activity tcp $HOME_NET 10607 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,coma.2; content:"Pong"; depth:4; metadata:policy security-ips drop; classtype:misc-activity; 7509 SPYWARE-PUT Hacker-Tool coma runtime detection - ping www3.ca.com/securityadvisor/pest/pest.aspx?id=453090795 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ver/ver.php"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"app="; nocase; http_uri; content:"install_date="; nocase; http_uri; content:"reg="; nocase; http_uri; content:"sys="; nocase; http_uri; content:"sver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"home.edonkey.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*home\x2Eedonkey\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7510 SPYWARE-PUT Trickler edonkey2000 runtime detection - version verification www.fbmsoftware.com/spyware-net/Process/edonkey2000_exe/705/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/adscript4.php"; fast_pattern; nocase; http_uri; content:"country="; nocase; http_uri; content:"dummy="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"sda.edonkey.com"; nocase; http_header; content:"User-Agent|3A|"; nocase; http_header; content:"ed2k"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*sda\x2Eedonkey\x2Ecom.*User-Agent\x3A[^\r\n]*ed2k/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7511 SPYWARE-PUT Trickler edonkey2000 runtime detection - get ads page www.fbmsoftware.com/spyware-net/Process/edonkey2000_exe/705/ successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"N|3A|UC|3A|"; fast_pattern:only; pcre:"/^N\x3aUC\x3a\d+\x2c\d+\x2e\d+\x2e\d+\x2e\d+\x2c/smi"; flowbits:set,WatchDog_Init_Connection; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7512 SPYWARE-PUT Keylogger watchdog runtime detection - init connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453098060 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,WatchDog_Init_Connection; content:"I|3A|NAME|3A|"; fast_pattern:only; pcre:"/^I\x3aNAME\x3a/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7513 SPYWARE-PUT Keylogger watchdog runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098060 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"S|3A|Users"; fast_pattern:only; pcre:"/^S\x3aUsers\x5c\d+\x2cSTATSTimeTotal/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7514 SPYWARE-PUT Keylogger watchdog runtime detection - send out info to server periodically www3.ca.com/securityadvisor/pest/pest.aspx?id=453098060 successful-recon-limited tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any flow:from_server,established; content:"Server|3A|"; nocase; http_header; content:"WatchDog"; nocase; http_header; content:"Server"; nocase; http_header; pcre:"/Server\x3a[^\r\n]*WatchDog[^\r\n]*Server/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7515 SPYWARE-PUT Keylogger watchdog runtime detection - remote monitoring www3.ca.com/securityadvisor/pest/pest.aspx?id=453098060 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"tool.world2.cn"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Toolbar.*Host\x3A[^\r\n]*tool\x2Eworld2\x2Ecn/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7516 SPYWARE-PUT Trickler hmtoolbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096408 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ta/NEWS/"; nocase; http_uri; content:"/rss"; nocase; http_uri; pcre:"/\x2Fta\x2FNEWS\x2F[^\r\n]*\x2Frss/Ui"; content:"User-Agent|3A|"; nocase; http_header; content:"AsyncHTTP"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*AsyncHTTP/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7518 SPYWARE-PUT Trackware earthlink toolbar runtime detection - get up-to-date news info castlecops.com/startuplist-1068.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/track?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"earthlink"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:successful-recon-limited; 7519 SPYWARE-PUT Trackware earthlink toolbar runtime detection - track activity castlecops.com/startuplist-1068.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sw/ietb/3/0/rd103.html?"; fast_pattern; nocase; http_uri; content:"d=error_earthlink"; nocase; http_uri; content:"q="; nocase; http_uri; metadata:policy security-ips drop; classtype:successful-recon-limited; 7520 SPYWARE-PUT Trackware earthlink toolbar runtime detection - ie autosearch hijack castlecops.com/startuplist-1068.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sw/toolbar/4/2/rd601.html?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:policy security-ips drop; classtype:successful-recon-limited; 7521 SPYWARE-PUT Trackware earthlink toolbar runtime detection - search toolbar request 1 castlecops.com/startuplist-1068.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 7522 SPYWARE-PUT Trackware earthlink toolbar runtime detection - search toolbar request 2 castlecops.com/startuplist-1068.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/article/"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"enews.earthlink.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*enews\x2Eearthlink\x2Enet/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7523 SPYWARE-PUT Trackware earthlink toolbar runtime detection - click news button links castlecops.com/startuplist-1068.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchapp/barad.asp?"; fast_pattern; nocase; http_uri; content:"searchkey="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*toolbar\x2Ehotblox\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7525 SPYWARE-PUT Trackware hotblox toolbar runtime detection - barad.asp request sparkles.nu/spy/proceed-34.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/t.php?"; nocase; http_uri; content:"sc_project="; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"toolbar.hotblox.com/searchapp/barad.asp"; fast_pattern; nocase; http_uri; content:"t=barad"; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 7526 SPYWARE-PUT Trackware hotblox toolbar runtime detection - stat counter sparkles.nu/spy/proceed-34.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/custom?"; nocase; http_uri; content:"sourceid=toolbar.hotblox.com"; fast_pattern; nocase; http_uri; content:"client="; nocase; http_uri; content:"forid="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"cof="; nocase; http_uri; content:"hl="; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 7527 SPYWARE-PUT Trackware hotblox toolbar runtime detection - toolbar find function sparkles.nu/spy/proceed-34.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dns/?url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*toolbar\x2Ehotblox\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7528 SPYWARE-PUT Trackware hotblox toolbar runtime detection - ie autosearch hijack sparkles.nu/spy/proceed-34.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"from=HL-Jacker"; nocase; http_uri; content:"body=key"; nocase; http_uri; content:"fromemail=Jacked"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 7529 SPYWARE-PUT Snoopware halflife jacker runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077199 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gs_trickler"; fast_pattern; nocase; http_uri; content:"TRICKLER"; nocase; pcre:"/^TRICKLER\d+=[^\r\n]*MediaSeek*/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7530 SPYWARE-PUT Trickler mediaseek.pl client runtime detection - trickler www.remove-spyware-now.net/MediaSeek-pl-Client.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"GET"; depth:3; nocase; content:"/K?"; distance:0; nocase; pcre:"/^GET\s+\x2FK\x3F[^\r\n]*\x7C*\x7C*\x7C*\s+HTTP*/smi"; metadata:policy security-ips alert; classtype:misc-activity; 7531 SPYWARE-PUT Trickler mediaseek.pl client runtime detection - login www.remove-spyware-now.net/MediaSeek-pl-Client.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.piolet.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control/smiH"; pcre:"/^Host\x3A[^\r\n]*www.piolet.com/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7532 SPYWARE-PUT Adware piolet runtime detection - user-agent taxster.fateback.com/piolet.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ads/468x60"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.piolet.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www.piolet.com/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7533 SPYWARE-PUT Adware piolet runtime detection - ads request taxster.fateback.com/piolet.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ie/?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"addr="; nocase; http_uri; content:"User-Agent|3A| IEXPLORE.EXE"; fast_pattern; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 7534 SPYWARE-PUT Hijacker clearsearch variant runtime detection - ie hijacking www.doxdesk.com/parasite/ClearSearch.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/fast-cgi/bsc?"; nocase; http_uri; content:"mandant=clear"; nocase; http_uri; content:"synd=clear"; nocase; http_uri; content:"device="; nocase; http_uri; content:"portalLanguage="; fast_pattern; nocase; http_uri; content:"userLanguage="; nocase; http_uri; content:"context="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"q="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7535 SPYWARE-PUT Hijacker clearsearch variant runtime detection - pass information www.doxdesk.com/parasite/ClearSearch.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/popup/popup.php?"; fast_pattern; nocase; http_uri; content:"cat="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"clearsearch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*clearsearch\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7536 SPYWARE-PUT Hijacker clearsearch variant runtime detection - popup www.doxdesk.com/parasite/ClearSearch.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Arrow Search"; fast_pattern; nocase; http_header; metadata:policy security-ips alert; classtype:successful-recon-limited; 7537 SPYWARE-PUT Trackware arrow search runtime detection www.rt-software.co.uk/arrow_search/index.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Eye"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Pro"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*Eye\s+Spy\s+Pro/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7539 SPYWARE-PUT Keylogger eye spy pro 1.0 runtime detection www.softslist.com/download-9-50-20783.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"|22|StarLogger|22|"; distance:0; nocase; content:"Subject|3A| StarLogger information"; distance:0; nocase; content:"Please find attached the StarLogger log file named"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 7541 SPYWARE-PUT Keylogger starlogger runtime detection www.spywareguide.com/product_show.php?id=922 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"OVN|01 00 01 00 1A 00 00 00|"; depth:11; content:"Mini"; distance:0; content:"Oblivion"; distance:0; content:"Ready"; distance:0; pcre:"/^OVN.*Mini\s+Oblivion.*Ready/"; metadata:policy security-ips drop; classtype:misc-activity; 7542 SPYWARE-PUT Hacker-Tool mini oblivion runtime detection - successful init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=26770 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/9894/search/search.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"pop.popuptoast.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*pop\x2Epopuptoast\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7543 SPYWARE-PUT Hijacker 2020search runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076971 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A| CSMTPConnection"; depth:256; nocase; flowbits:set,PerfectKeylogger1; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7544 SPYWARE-PUT Keylogger PerfectKeylogger runtime detection - flowbit set 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,PerfectKeylogger1; content:"filename=|22|keystrokes.html|22|"; depth:300; nocase; flowbits:set,PerfectKeylogger2; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7545 SPYWARE-PUT Keylogger PerfectKeylogger runtime detection - flowbit set 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,PerfectKeylogger2; content:"This is a Perfect Keylogger report"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 7546 SPYWARE-PUT Keylogger PerfectKeylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333 successful-recon-limited udp $EXTERNAL_NET any -> $HOME_NET 15164 content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; metadata:policy security-ips alert; classtype:successful-recon-limited; 7547 SPYWARE-PUT Keylogger activity monitor 3.8 runtime detection - agent status monitoring www3.ca.com/securityadvisor/pest/pest.aspx?id=35592 successful-recon-limited udp $HOME_NET any -> $EXTERNAL_NET 15165 content:"|00 00 00 00 00 00 00 00|"; depth:8; metadata:policy security-ips alert; classtype:successful-recon-limited; 7548 SPYWARE-PUT Keylogger activity monitor 3.8 runtime detection - agent up notification www3.ca.com/securityadvisor/pest/pest.aspx?id=35592 successful-recon-limited udp $HOME_NET any -> $EXTERNAL_NET 15165 content:"|1D BA 0B FB|d|5C 86 E1 DA 83|BC|B6 04 E0|^|0A|@|C5 D4 00 00 00 00 00 00 00 00|"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7549 SPYWARE-PUT Keylogger activity monitor 3.8 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=35592 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ADROAR"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*ADROAR/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7550 SPYWARE-PUT Adware adroar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077256 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ClientID="; nocase; http_uri; content:"ServerTableID="; fast_pattern; nocase; http_uri; content:"ClientData="; nocase; http_uri; content:"AuxData="; nocase; http_uri; content:"ReleaseID="; nocase; http_uri; content:"ClientStats="; nocase; http_uri; content:"StoreID="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"HXLogOnly"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXLogOnly/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7553 SPYWARE-PUT Adware hxdl runtime detection - hxlogonly user-agent www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"HXDownload"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXDownload/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7554 SPYWARE-PUT Adware hxdl runtime detection - hxdownload user-agent www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search_results.php"; fast_pattern; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"search_string="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.blazefind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]+www\x2Eblazefind\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7556 SPYWARE-PUT Hijacker blazefind runtime detection - search bar www3.ca.com/securityadvisor/pest/pest.aspx?id=453079063 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cs/pop4/"; fast_pattern; nocase; http_uri; content:".html"; nocase; http_uri; pcre:"/\x2Fcs\x2Fpop4\x2F((frame_ver2)|(UI2))\x2Ehtml/Ui"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7557 SPYWARE-PUT Trackware purityscan runtime detection - start up www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/install/notify.php?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"module="; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"result="; nocase; http_uri; content:"message="; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 7558 SPYWARE-PUT Trackware purityscan runtime detection - installation notify www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/count.cgi?clickspring"; nocase; http_uri; content:"www.clickspring.net/cs/pop4/frame_ver2.html"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:successful-recon-limited; 7559 SPYWARE-PUT Trackware purityscan runtime detection - track user activity and status www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/query.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; content:"b="; distance:0; nocase; content:"vt="; distance:0; nocase; content:"c="; distance:0; nocase; content:"os="; distance:0; nocase; content:"lang="; distance:0; nocase; content:"pl="; distance:0; nocase; content:"z="; distance:0; nocase; metadata:policy security-ips drop; classtype:successful-recon-limited; 7560 SPYWARE-PUT Trackware purityscan runtime detection - self update www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ps/ps_uninstaller.exe"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.purityscan.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Epurityscan\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7561 SPYWARE-PUT Trackware purityscan runtime detection - opt out of interstitial advertising www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/rotation/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"downloads.morpheus.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*downloads\x2Emorpheus\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7562 SPYWARE-PUT Adware morpheus runtime detection - ad 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=54367 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"Referer|3A|"; nocase; http_header; content:"downloads.morpheus.com/rotation/"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*downloads\x2Emorpheus\x2Ecom\x2Frotation/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7563 SPYWARE-PUT Adware morpheus runtime detection - ad 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=54367 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ieb/res/topres.xsl"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7564 SPYWARE-PUT Hijacker startnow runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453083036 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchbar/engine.php"; fast_pattern; nocase; http_uri; content:"cver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchexpert.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchexpert\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7565 SPYWARE-PUT Hijacker adshooter.searchforit runtime detection - search engine www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/redirector.html"; fast_pattern; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"advertiser_id="; nocase; http_uri; content:"keyword_id="; nocase; http_uri; content:"bid="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7566 SPYWARE-PUT Hijacker adshooter.searchforit runtime detection - redirector www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"POST"; depth:4; nocase; content:"X-AT|3A|"; nocase; http_header; content:"X-CI|3A|"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*webhancer\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7568 SPYWARE-PUT Trackware webhancer runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=43482 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/home/lordofsearch"; fast_pattern; nocase; http_uri; pcre:"/\x5Chome\/lordofsearch[^\r\n]*\x2Ehtml/smi"; metadata:policy security-ips alert; classtype:misc-activity; 7569 SPYWARE-PUT Adware lordofsearch runtime detection www.spywareguide.com/product_list_category.php?category_id=12 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"www.linkspider.co.uk/cgi-bin/cgsearch/cgsearch.cgi"; fast_pattern; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7570 SPYWARE-PUT Hijacker linkspider search bar runtime detection - ads linkspider.co.uk misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/cgsearch/cgsearch.cgi?"; fast_pattern; nocase; http_uri; content:"vid="; nocase; http_uri; content:"category="; nocase; http_uri; content:"lout="; nocase; http_uri; content:"sel="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"query="; nocase; http_uri; content:"match="; nocase; http_uri; content:"where="; nocase; http_uri; content:"sd="; nocase; http_uri; content:"pp="; nocase; http_uri; content:"to="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7571 SPYWARE-PUT Hijacker linkspider search bar runtime detection - toolbar search linkspider.co.uk misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data/startup.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"DigExt"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*DigExt/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7572 SPYWARE-PUT Trickler album galaxy runtime detection - startup data codegravity.com/index.php/spyware misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/P2P/gnutella/cache/gerry.asp"; fast_pattern; nocase; http_uri; content:"urlfile="; nocase; http_uri; content:"client=GALA"; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7573 SPYWARE-PUT Trickler album galaxy runtime detection - p2p gnutella codegravity.com/index.php/spyware successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"HELO"; nocase; content:"ProAgent"; distance:0; nocase; pcre:"/^HELO\s+ProAgent/smi"; content:"From|3A|"; nocase; content:"ProAgent"; distance:0; nocase; pcre:"/^From\x3A\s+\x22ProAgent\s+v\d+\x2E\d+\x22/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7574 SPYWARE-PUT Keylogger proagent 2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076925 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dp/weather?x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*as\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7575 SPYWARE-PUT Hijacker starware toolbar runtime detection - weather request www.spywareguide.com/product_show.php?id=2009 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dp/search?x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*as\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7576 SPYWARE-PUT Hijacker starware toolbar runtime detection - hijack ie browser www.spywareguide.com/product_show.php?id=2009 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/d/sr/?"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"as.starware.com/dp/search?x="; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*as\x2Estarware\x2Ecom\x2Fdp\x2Fsearch\?x=/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7577 SPYWARE-PUT Hijacker starware toolbar runtime detection - collect information www.spywareguide.com/product_show.php?id=2009 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dp/reference?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*as\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7578 SPYWARE-PUT Hijacker starware toolbar runtime detection - reference www.spywareguide.com/product_show.php?id=2009 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pl/shared/smileys/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"files-pl.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*files-pl\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7579 SPYWARE-PUT Hijacker starware toolbar runtime detection - smileys www.spywareguide.com/product_show.php?id=2009 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dp/simpleupdate?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*as\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7580 SPYWARE-PUT Hijacker starware toolbar runtime detection - update www.spywareguide.com/product_show.php?id=2009 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Pcast Live"; fast_pattern; nocase; http_header; metadata:policy security-ips alert; classtype:misc-activity; 7582 SPYWARE-PUT Trickler pcast runtime detection - update checking www3.ca.com/securityadvisor/pest/pest.aspx?id=453098354 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 4563 flow:to_server,established; flowbits:isnotset,Clandestine_CTS1; content:"big"; depth:3; nocase; flowbits:set,Clandestine_CTS1; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 7583 SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set big www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 4563 flow:to_server,established; flowbits:isnotset,Clandestine_CTS1; content:"open"; depth:4; nocase; flowbits:set,Clandestine_CTS1; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 7584 SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set open www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 misc-activity tcp $HOME_NET 4563 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Clandestine_CTS1; content:">>IMAGE|FF D8 FF E0 00 10|JFIF"; flowbits:set,Clandestine_STC1; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 7585 SPYWARE-PUT Hacker-Tool clandestine runtime detection - flowbit set image www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 misc-activity tcp $HOME_NET 4563 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Clandestine_STC1; content:"<<DONE"; metadata:policy security-ips drop; classtype:misc-activity; 7586 SPYWARE-PUT Hacker-Tool clandestine runtime detection - image transferred www3.ca.com/securityadvisor/pest/pest.aspx?id=1295 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"URLBlaze"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*URLBlaze/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7587 SPYWARE-PUT Trickler urlblaze runtime detection - software information request www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/phppbc.php"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.urlblaze.net"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.peer2mail.com"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2eurlblaze\x2enet.*Host\x3A[^\r\n]*www\x2Epeer2mail\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7588 SPYWARE-PUT Trickler urlblaze runtime detection - files search or download www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 6667 flow:to_server,established; content:"NICK"; depth:4; nocase; content:"6633"; distance:0; nocase; pcre:"/^NICK\s+\x5E\d+\x5E\d+\x5E\d+\x5E\d+\x5E6633/smi"; metadata:policy security-ips alert; classtype:misc-activity; 7589 SPYWARE-PUT Trickler urlblaze runtime detection - irc notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/swbartb0110.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchwords.com"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Esearchwords\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7590 SPYWARE-PUT Hijacker swbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077852 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"Keylogger-Pro"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*Keylogger-Pro/smi"; flowbits:set,KeyloggerPro_SMTP; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7591 SPYWARE-PUT Keylogger keylogger pro runtime detection - flowbit set successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,KeyloggerPro_SMTP; content:"Keylogger"; nocase; content:"Pro"; distance:0; nocase; content:"Activity"; distance:0; nocase; content:"Logs"; distance:0; pcre:"/^Keylogger\s+Pro\s+Activity\s+Logs/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7592 SPYWARE-PUT Keylogger keylogger pro runtime detection www.spyany.com/keylogger.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/add.txt?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"rank.toolbarbrowser.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*rank\x2Etoolbarbrowser\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7593 SPYWARE-PUT Trackware trellian toolbarbrowser runtime detection www.toolbarbrowser.com misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/advertisement/advertisement.php?"; fast_pattern; nocase; http_uri; content:"systemTray="; nocase; http_uri; content:"joke_category="; nocase; http_uri; content:"joke_id="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7594 SPYWARE-PUT Adware comedy planet runtime detection - ads labs.paretologic.com/spyware.aspx?remove=Comedy-Planet misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.php?document="; fast_pattern:only; content:"form-data|3B|"; nocase; content:"name="; distance:0; nocase; content:"user_name"; distance:0; nocase; content:"user_email"; distance:0; nocase; metadata:policy security-ips drop; classtype:misc-activity; 7595 SPYWARE-PUT Adware comedy planet runtime detection - collect user information labs.paretologic.com/spyware.aspx?remove=Comedy-Planet successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Hello."; nocase; content:"This"; distance:0; nocase; content:"letter"; distance:0; nocase; content:"contains"; distance:0; nocase; content:"logfile"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/Hello\x2E\s+This\s+letter\s+contains\s+logfile\s+from/smi"; flowbits:set,LanternKeylogger; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7596 SPYWARE-PUT Keylogger spy lantern keylogger runtime detection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453083297 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,LanternKeylogger; content:"filename="; nocase; content:".ltr"; distance:0; nocase; pcre:"/filename=\x22[^\r\n]*\x2Eltr\x22/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7597 SPYWARE-PUT Keylogger spy lantern keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453083297 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.2-seek.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2E2-seek\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7598 SPYWARE-PUT Snoopware 2-seek runtime detection - search in toolbar www.2-seek.com/toolbar.php successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/go.php?"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.2-seek.com/search/"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.2-seek.com"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2e2-seek\x2ecom\x2fsearch/smiH"; pcre:"/^Host\x3A[^\r\n]*www\x2E2-seek\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7599 SPYWARE-PUT Snoopware 2-seek runtime detection - user info collection www.2-seek.com/toolbar.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EFError"; nocase; http_header; content:"Internet"; nocase; http_header; content:"Connection"; nocase; http_header; content:"Test"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*EFError\s+Internet\s+Connection\s+Test/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7600 SPYWARE-PUT Hijacker adtraffic runtime detection - notfound website search hijack and redirection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094115 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 7001 flow:to_server,established; content:"login"; depth:5; nocase; content:"~EOL!"; distance:0; nocase; pcre:"/^login\s+[^\r\n]*\x2A[^\r\n]*~EOL!/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7601 SPYWARE-PUT Snoopware big brother v3.5.1 runtime detection - connect to keyserver www3.ca.com/securityadvisor/pest/pest.aspx?id=45916 successful-recon-limited tcp $EXTERNAL_NET any -> $HOME_NET 7000 flow:to_server,established; content:"HBand"; depth:6; nocase; content:"~EOL!"; distance:0; nocase; pcre:"/^HBand\d+,\d+,\d+,\d+,\d+,\d+~EOL!/smi"; flowbits:set,snoopware.big.brother.3.5.1.conn.cts; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7602 SPYWARE-PUT Snoopware big brother v3.5.1 runtime detection - connect to receiver - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=45916 successful-recon-limited tcp $HOME_NET 7000 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,snoopware.big.brother.3.5.1.conn.cts; content:"HBand"; depth:6; nocase; content:"ZBM"; distance:0; nocase; pcre:"/^HBand,[^\r\n]*,[^\r\n]*,\d+,\d+\x2A\xD5ZBM/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7603 SPYWARE-PUT Snoopware big brother v3.5.1 runtime detection - connect to receiver www3.ca.com/securityadvisor/pest/pest.aspx?id=45916 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"10040"; depth:5; flowbits:set,katux20.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7604 BACKDOOR katux 2.0 runtime detection - screen capture - flowbit set trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,katux20.2; content:"000Ecran captur|E9|, transfert lanc|E9|..."; depth:36; metadata:policy security-ips drop; classtype:trojan-activity; 7605 BACKDOOR katux 2.0 runtime detection - screen capture www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"001"; depth:3; flowbits:set,katux20.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7606 BACKDOOR katux 2.0 runtime detection - get system info - flowbit set trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,katux20.3; content:"001"; depth:3; content:"Version serveur|3A| Katux 2"; distance:0; metadata:policy security-ips drop; classtype:trojan-activity; 7607 BACKDOOR katux 2.0 runtime detection - get system info www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"07415"; depth:5; flowbits:set,katux20.4; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7608 BACKDOOR katux 2.0 runtime detection - chat - flowbit set trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,katux20.4; content:"000Chat ouvert..."; depth:17; metadata:policy security-ips drop; classtype:trojan-activity; 7609 BACKDOOR katux 2.0 runtime detection - chat www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 7424 flow:to_server,established; content:"|0C 00 18 00 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08|"; depth:28; flowbits:set,remote.control.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7620 BACKDOOR remote control 1.7 runtime detection - connection request flowbit 1 trojan-activity tcp $HOME_NET 7424 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,remote.control.1; content:"|10 00|"; depth:2; flowbits:set,remote.control.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7621 BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 2 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 7424 flow:to_server,established; flowbits:isset,remote.control.2; content:"|1D 00 03 00|"; depth:4; flowbits:set,remote.control.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7622 BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 3 trojan-activity tcp $HOME_NET 7424 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,remote.control.3; content:"|03 00|"; depth:2; metadata:policy security-ips drop; classtype:trojan-activity; 7623 BACKDOOR remote control 1.7 runtime detection - connection request www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063 trojan-activity tcp $HOME_NET 7425 -> $EXTERNAL_NET any flow:from_server,established; content:"|19 00 C8 00 01 00|"; depth:6; metadata:policy security-ips alert; classtype:trojan-activity; 7624 BACKDOOR remote control 1.7 runtime detection - data communication www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"*SPORT*"; depth:7; flowbits:set,skyrat.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7625 BACKDOOR skyrat show runtime detection - initial connection - flowbit 1 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,skyrat.1; content:"*PORT1*"; depth:7; pcre:"/^\x2APORT1\x2A\d+/"; flowbits:set,skyrat.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7626 BACKDOOR skyrat show runtime detection - initial connection - flowbit 2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,skyrat.2; content:"*PORT2*"; depth:7; pcre:"/^\x2APORT2\x2A\d+/"; flowbits:set,skyrat.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7627 BACKDOOR skyrat show runtime detection - initial connection - flowbit 3 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,skyrat.3; content:"*PORT3*"; depth:7; pcre:"/^\x2APORT3\x2A\d+/"; flowbits:set,skyrat.4; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7628 BACKDOOR skyrat show runtime detection - initial connection - flowbit 4 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,skyrat.4; content:"*portok*"; depth:8; metadata:policy security-ips drop; classtype:trojan-activity; 7629 BACKDOOR skyrat show runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453081105 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"100|8D|"; depth:4; content:"|8D|3.1|8D|1|8F|"; distance:0; metadata:policy security-ips drop; classtype:trojan-activity; 7630 BACKDOOR helios 3.1 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453074473 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"007r"; depth:4; flowbits:set,hornet.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7631 BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,hornet.2; content:"007Server"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; 7632 BACKDOOR hornet 1.0 runtime detection - fetch system info www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"006cb"; depth:5; flowbits:set,hornet.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7633 BACKDOOR hornet 1.0 runtime detection - irc connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,hornet.3; content:"006cb"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 7634 BACKDOOR hornet 1.0 runtime detection - irc connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"008g"; depth:4; flowbits:set,hornet.4; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7635 BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,hornet.4; content:"008"; depth:3; metadata:policy security-ips drop; classtype:trojan-activity; 7636 BACKDOOR hornet 1.0 runtime detection - fetch processes list www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=Hornet+Server"; nocase; content:"fromemail=Hornet"; distance:0; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7637 BACKDOOR hornet 1.0 runtime detection - icq notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"xV4|12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:24; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7638 BACKDOOR ncph runtime detection - initial connection www.mmbest.com/Software/Catalog3/1477.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/air/notify/mail.php?"; nocase; http_uri; content:"controlport="; nocase; http_uri; content:"webserverport="; nocase; http_uri; content:"to="; nocase; http_uri; content:"ip="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 7640 BACKDOOR air runtime detection - webmail notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6116 flow:to_server,established; pcre:"/^\d+\x01/smi"; flowbits:set,AM_Remote_Client; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7641 BACKDOOR am remote client runtime detection - client-to-server www.megasecurity.org/trojans/a/amrc/Amrc1.1.html trojan-activity tcp $HOME_NET 6116 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AM_Remote_Client; pcre:"/^\d+\x01/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 7642 BACKDOOR am remote client runtime detection - server-to-client www.megasecurity.org/trojans/a/amrc/Amrc1.1.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1981 flow:to_server,established; content:"L'esclave"; nocase; pcre:"/^\d+L\x27esclave\x09\d+\x09\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7644 BACKDOOR ullysse runtime detection - client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453075739 trojan-activity tcp $EXTERNAL_NET 666 -> $HOME_NET 667 flow:to_server,established; content:"cmdping"; depth:7; nocase; flowbits:set,snipernet; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7645 BACKDOOR snipernet 2.1 runtime detection - flowbit set www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html trojan-activity tcp $HOME_NET 667 -> $EXTERNAL_NET 666 flow:from_server,established; flowbits:isset,snipernet; content:"pingback"; depth:8; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 7646 BACKDOOR snipernet 2.1 runtime detection www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 1024: flow:to_server,established; content:"|04 03 02 01|"; depth:4; nocase; flowbits:set,MinicomLite; flowbits:noalert; classtype:trojan-activity; 7648 BACKDOOR minicom lite runtime detection - client-to-server www.spywareguide.com/product_show.php?id=910 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1024: flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,smalluploader_conn; flowbits:noalert; classtype:trojan-activity; 7650 BACKDOOR small uploader 1.01 runtime detection - initial connection - flowbit set trojan-activity tcp $HOME_NET 7777 -> $EXTERNAL_NET any flow:from_server,established; content:"++Conectado a"; depth:13; metadata:policy security-ips drop; classtype:trojan-activity; 7658 BACKDOOR jodeitor 1.1 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077303 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"pci"; depth:3; content:"|08 08 08 08 08 08 08 08|"; distance:0; metadata:policy security-ips drop; classtype:trojan-activity; 7659 BACKDOOR lan filtrator 1.1 runtime detection - sin notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"|B4 AF 29 AE|LANfiltrator|AE 28 AF|`"; depth:20; flowbits:set,LanFiltrator_InitConnectionRequest; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7660 BACKDOOR lan filtrator 1.1 runtime detection - initial connection request - flowbit set trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_client,established; flowbits:isset,LanFiltrator_InitConnectionRequest; content:"id_id"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 7661 BACKDOOR lan filtrator 1.1 runtime detection - initial connection request www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1784 flow:to_server,established; content:"VER "; depth:4; flowbits:set,Snid_X2_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7662 BACKDOOR snid x2 v1.2 runtime detection - initial connection - flowbit set trojan-activity tcp $HOME_NET 1784 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Snid_X2_InitConnection; content:"Snid X2 Server"; depth:14; metadata:policy security-ips drop; classtype:trojan-activity; 7663 BACKDOOR snid x2 v1.2 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=5567 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 2208 flow:to_server,established; content:"/"; depth:1; content:"R"; depth:1; offset:2; nocase; pcre:"/^\x2F[GL]R/smi"; flowbits:set,ScreenControl_conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7664 BACKDOOR screen control 1.0 runtime detection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930 trojan-activity tcp $HOME_NET 2208 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,ScreenControl_conn; content:"/LO"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7665 BACKDOOR screen control 1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930 trojan-activity tcp $HOME_NET 2208 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,ScreenControl_conn; content:"/GR"; nocase; pcre:"/\x2FGR\d+\x3B\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7667 BACKDOOR screen control 1.0 runtime detection - capture on port 2208 www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 2213 flow:to_server,established; content:"a"; flowbits:set,ScreenControl_capture2213; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7668 BACKDOOR screen control 1.0 runtime detection - capture on port 2213 - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930 trojan-activity tcp $HOME_NET 2213 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,ScreenControl_capture2213; content:"|00|2|00 00|x|9C ED|"; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 7669 BACKDOOR screen control 1.0 runtime detection - capture on port 2213 www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 19850 flow:to_server,established; content:"<password>"; depth:10; nocase; content:"</password>"; distance:0; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7670 BACKDOOR digital upload runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131 trojan-activity tcp $HOME_NET 19850 -> $EXTERNAL_NET any flow:from_server,established; content:"<chat>"; nocase; content:"</chat>"; nocase; pcre:"/\x3Cchat\x3E[^\r\n]*\x3C\x2Fchat\x3E/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7671 BACKDOOR digital upload runtime detection - chat www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131 trojan-activity tcp $HOME_NET 32222 -> $EXTERNAL_NET any flow:from_server,established; content:"Connected"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7672 BACKDOOR remoter runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=53155 trojan-activity tcp $HOME_NET 1001 -> $EXTERNAL_NET any flow:from_server,established; content:"CONN"; depth:4; nocase; flowbits:set,RemoteHAVOC_conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7673 BACKDOOR remote havoc runtime detection - flowbit set 1 www.spywareguide.com/product_show.php?id=863 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1001 flow:to_server,established; flowbits:isset,RemoteHAVOC_conn.1; content:"REFR"; depth:4; flowbits:set,RemoteHAVOC_conn.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7674 BACKDOOR remote havoc runtime detection - flowbit set 2 www.spywareguide.com/product_show.php?id=863 trojan-activity tcp $HOME_NET 1001 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,RemoteHAVOC_conn.2; content:"LIST"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7675 BACKDOOR remote havoc runtime detection www.spywareguide.com/product_show.php?id=863 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|7C|ENUMDRVS|7C|"; depth:10; nocase; flowbits:set,CoolRemoteControl_conn; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7676 BACKDOOR cool remote control or crackdown runtime detection - initial connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,CoolRemoteControl_conn; content:"|7C|DRVS|7C|"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7677 BACKDOOR cool remote control or crackdown runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 11977 flow:to_server,established; content:"|7C|PUTFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_upload; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7678 BACKDOOR cool remote control 1.12 runtime detection - upload file - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314 trojan-activity tcp $HOME_NET 11977 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,CoolRemoteControl_upload; content:"|7C|COMPLETEPUTFILE|7C|"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7679 BACKDOOR cool remote control 1.12 runtime detection - upload file www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 11977 flow:to_server,established; content:"|7C|GETFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_Download.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7680 BACKDOOR cool remote control 1.12 runtime detection - download file - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314 trojan-activity tcp $HOME_NET 11977 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,CoolRemoteControl_Download.1; content:"|7C|FILESIZE|7C|"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7681 BACKDOOR cool remote control 1.12 runtime detection - download file www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12345 flow:to_server,established; content:"TROJAN"; depth:6; nocase; flowbits:set,acid_head_conn_step1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7682 BACKDOOR acid head 1.00 runtime detection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=71371 trojan-activity tcp $HOME_NET 12345 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,acid_head_conn_step1; content:"1.6"; depth:3; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7683 BACKDOOR acid head 1.00 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=71371 trojan-activity tcp $HOME_NET 567 -> $EXTERNAL_NET any flow:from_server,established; content:"hRat"; depth:4; nocase; content:"are"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"version"; distance:0; nocase; pcre:"/^hRat\s+are\s+ready\s+-\>\s+Server\s+version/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7684 BACKDOOR hrat 1.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453073815 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 5024 flow:to_server,established; content:"104"; depth:3; flowbits:set,Illusion_Info; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7685 BACKDOOR illusion runtime detection - get remote info client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268 trojan-activity tcp $EXTERNAL_NET 5024 -> $HOME_NET any flow:from_server,established; flowbits:isset,Illusion_Info; content:"023"; metadata:policy security-ips drop; classtype:trojan-activity; 7686 BACKDOOR illusion runtime detection - get remote info server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 5024 flow:to_server,established; content:"[LOAD DRIVE DATA]"; flowbits:set,Illusion_File; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7687 BACKDOOR illusion runtime detection - file browser client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268 trojan-activity tcp $EXTERNAL_NET 5024 -> $HOME_NET any flow:from_server,established; flowbits:isset,Illusion_File; content:"[DRIVE"; nocase; content:"LIST]"; nocase; pcre:"/\x5BDRIVE\s+LIST\x5D/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7688 BACKDOOR illusion runtime detection - file browser server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"IDENTIFY"; depth:8; pcre:"/^IDENTIFY\s+\x23\s+\d+\x2E\d+\x2E\d+\x2E\d+\s+\x23\s+/"; metadata:policy security-ips drop; classtype:trojan-activity; 7689 BACKDOOR evade runtime detection - initial connection www.megasecurity.org/trojans/e/evade/Evade1.1b.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 9999 flow:to_server,established; content:"DRIVECHANGE +"; flowbits:set,Evade_File_Manager1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7690 BACKDOOR evade runtime detection - file manager - flowbit set www.megasecurity.org/trojans/e/evade/Evade1.1b.html trojan-activity tcp $EXTERNAL_NET 9999 -> $HOME_NET any flow:from_server,established; flowbits:isset,Evade_File_Manager1; content:"FRESH +"; metadata:policy security-ips alert; classtype:trojan-activity; 7691 BACKDOOR evade runtime detection - file manager www.megasecurity.org/trojans/e/evade/Evade1.1b.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 80 flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"id=Exception"; nocase; http_uri; content:"ver=Exception"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"os="; nocase; http_uri; content:"conn="; nocase; http_uri; content:"cpu="; nocase; http_uri; content:"user="; nocase; http_uri; metadata:policy security-ips drop; classtype:trojan-activity; 7692 BACKDOOR exception 1.0 runtime detection - notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"spass|3A|"; depth:6; nocase; flowbits:set,hanky_conn1; flowbits:noalert; classtype:trojan-activity; 7695 BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,hanky_conn1; content:"spas1|3A|"; depth:6; nocase; flowbits:set,hanky_conn2; flowbits:noalert; classtype:trojan-activity; 7696 BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3100 flow:to_server,established; content:"APP"; flowbits:set,BrAin_Wiper_LaunchApplication; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7698 BACKDOOR brain wiper runtime detection - launch application - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367 trojan-activity tcp $HOME_NET 3100 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,BrAin_Wiper_LaunchApplication; content:"Program Launched"; depth:16; metadata:policy security-ips drop; classtype:trojan-activity; 7699 BACKDOOR brain wiper runtime detection - launch application www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 3100 flow:to_server,established; content:"ChatCHA"; depth:7; flowbits:set,BrAin_Wiper_Chat; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7700 BACKDOOR brain wiper runtime detection - chat - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367 trojan-activity tcp $HOME_NET 3100 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,BrAin_Wiper_Chat; content:"Chat dialog opened"; depth:18; metadata:policy security-ips drop; classtype:trojan-activity; 7701 BACKDOOR brain wiper runtime detection - chat www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1111 flow:to_server,established; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; flowbits:set,Roach_RemoteControlActions; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7702 BACKDOOR roach 1.0 runtime detection - remote control actions - flowbit set trojan-activity tcp $HOME_NET 1111 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Roach_RemoteControlActions; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; metadata:policy security-ips drop; classtype:trojan-activity; 7703 BACKDOOR roach 1.0 runtime detection - remote control actions www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/roach/mail.php"; nocase; http_uri; content:"port="; nocase; http_uri; content:"name="; nocase; http_uri; content:"pw="; nocase; http_uri; content:"lanby="; nocase; http_uri; content:"to="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.kornputers.com"; nocase; http_header; metadata:policy security-ips drop; classtype:trojan-activity; 7704 BACKDOOR roach 1.0 server installation notification - email www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:to_server,established; content:"Instant"; nocase; content:"Remote"; distance:0; nocase; content:"Control"; distance:0; nocase; content:"Service"; distance:0; nocase; pcre:"/Instant\s+Remote\s+Control\s+Service/smi"; flowbits:set,Omniquad_IRC_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7705 BACKDOOR omniquad instant remote control runtime detection - initial connection - flowbit set trojan-activity tcp $HOME_NET 445 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Omniquad_IRC_InitConnection; content:"|00 00 00|h|FF|SMB%|00 00 00|"; metadata:policy security-ips alert; classtype:trojan-activity; 7706 BACKDOOR omniquad instant remote control runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"Welcome"; nocase; content:"to"; distance:0; nocase; content:"the"; distance:0; nocase; content:"Omniquad"; distance:0; nocase; content:"File"; distance:0; nocase; content:"Transfer"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/Welcome\s+to\s+the\s+Omniquad\s+File\s+Transfer\s+Server/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7707 BACKDOOR omniquad instant remote control runtime detection - file transfer setup www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053 trojan-activity tcp $HOME_NET 8811 -> $EXTERNAL_NET any flow:from_server,established; content:"connected"; nocase; flowbits:set,Fear15_conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7708 BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 8811 flow:to_server,established; flowbits:isset,Fear15_conn.1; content:"listdrives"; nocase; flowbits:set,Fear15_conn.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7709 BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $HOME_NET 8811 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Fear15_conn.2; content:"Drive"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7710 BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 33229 flow:to_server,established; content:"["; depth:1; content:"]"; distance:0; pcre:"/^\[[A-z]+\]/si"; metadata:policy security-ips alert; classtype:trojan-activity; 7711 BACKDOOR amitis runtime command detection attacker to victim www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405 trojan-activity tcp $HOME_NET 33229 -> $EXTERNAL_NET any flow:to_client,established; content:"["; depth:1; content:"]"; distance:0; pcre:"/^\[[A-z]+\]/si"; metadata:policy security-ips alert; classtype:trojan-activity; 7712 BACKDOOR amitis runtime detection victim to attacker www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"Amitis"; distance:0; content:"1.3"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Server"; distance:0; nocase; content:"information"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Amitis\s+1\x2E3.*Subject\x3A[^\r\n]*Server\s+information/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7713 BACKDOOR amitis v1.3 runtime detection - email notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453075097 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"passed"; depth:6; nocase; flowbits:set,backdoor.NetDevil.conn.step1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7714 BACKDOOR netdevil runtime detection - flowbit set 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=27557 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,backdoor.NetDevil.conn.step1; content:"version"; depth:7; nocase; flowbits:set,backdoor.NetDevil.conn.step2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7715 BACKDOOR netdevil runtime detection - flowbit set 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=27557 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.NetDevil.conn.step2; content:"ver"; nocase; pcre:"/^ver\d+\x2E\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7716 BACKDOOR netdevil runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=27557 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"The"; depth:3; nocase; content:"Snake"; distance:0; nocase; content:"Trojan"; distance:0; nocase; pcre:"/^The\s+Snake\s+Trojan/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7717 BACKDOOR snake trojan runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453078423 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"0|11 00 00|"; depth:4; content:"333333|13|@"; offset:8; flowbits:set,DameWareMiniRemoteControl_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7718 BACKDOOR dameware mini remote control runtime detection - initial connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,DameWareMiniRemoteControl_InitConnection; content:"0|11 00 00 00 00 00 00|333333|13|@|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:30; metadata:policy security-ips drop; classtype:trojan-activity; 7719 BACKDOOR dameware mini remote control runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041 trojan-activity tcp $HOME_NET 5110 -> $EXTERNAL_NET any flow:from_server,established; content:"Sifre_Korumasi"; depth:14; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7721 BACKDOOR prorat 1.9 initial connection detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; content:"PORT="; depth:5; content:"Victim="; distance:0; pcre:"/^PORT\x3D\d+\x2AVictim\x3D/"; metadata:policy security-ips drop; classtype:trojan-activity; 7724 BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_client,established; content:"EXECUT"; depth:6; flowbits:set,ReVerSaBle_ExecuteCommand; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7726 BACKDOOR reversable ver1.0 runtime detection - execute command - flowbit set trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,ReVerSaBle_ExecuteCommand; content:"COMMENFile"; depth:10; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 7727 BACKDOOR reversable ver1.0 runtime detection - execute command www.megasecurity.org/trojans/r/reversable/Reversable1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7728 BACKDOOR radmin runtime detection - client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Radmin; content:"|01 00 00 00|%|00 00 01 10 08 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:46; metadata:policy security-ips drop; classtype:trojan-activity; 7729 BACKDOOR radmin runtime detection - server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 5005 flow:to_server,established; content:"Sin"; nocase; pcre:"/^Sin[^\r\n]*\/[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7730 BACKDOOR outbreak_0.2.7 runtime detection - reverse connection www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html trojan-activity tcp $EXTERNAL_NET 5005 -> $HOME_NET any flow:from_server,established; content:"SINFO"; nocase; pcre:"/^SINFO\x3B\d+\x3B/smi"; flowbits:set,outbreak_ring_stc; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7731 BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 5005 flow:to_server,established; flowbits:isset,outbreak_ring_stc; content:"SINFO"; nocase; content:"PONG"; distance:0; nocase; pcre:"/^SINFO\x3B[^\r\n]{1,20}\x3BPONG\x3B/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 7732 BACKDOOR outbreak_0.2.7 runtime detection - ring client-to-server www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html trojan-activity tcp $EXTERNAL_NET 5005 -> $HOME_NET any flow:from_server,established; content:"CON"; nocase; pcre:"/^CON\w{1,10}\d+\xAE[^\r\n]{1,20}\x3B/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7733 BACKDOOR outbreak_0.2.7 runtime detection - initial connection www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|05 00 00 00|1|00 01 00 01 FD 12 00|"; depth:12; flowbits:set,BioNet4_05_BE; flowbits:noalert; classtype:trojan-activity; 7734 BACKDOOR bionet 4.05 runtime detection - initial connection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406 trojan-activity tcp $HOME_NET 4444 -> $EXTERNAL_NET any flow:from_server,established; content:"accept|3A|"; depth:7; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7738 BACKDOOR alexmessomalex runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=45547 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 4444 flow:to_server,established; content:"grab|3A|"; depth:5; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 7739 BACKDOOR alexmessomalex runtime detection - grab www3.ca.com/securityadvisor/pest/pest.aspx?id=45547 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"Passed"; depth:6; nocase; flowbits:set,nova_conn_1; flowbits:noalert; classtype:trojan-activity; 7740 BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030 trojan-activity tcp $HOME_NET 7410 -> $EXTERNAL_NET any flow:from_server,established; content:"MSG00020"; depth:8; flowbits:set,Phoenix_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7744 BACKDOOR phoenix 2.1 runtime detection - flowbit set trojan-activity tcp $HOME_NET 7410 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Phoenix_InitConnection; content:"The Phoenix is ready"; depth:20; metadata:policy security-ips drop; classtype:trojan-activity; 7745 BACKDOOR phoenix 2.1 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453079790 trojan-activity tcp $HOME_NET 4321 -> $EXTERNAL_NET any flow:from_server,established; content:"Password|3A|"; depth:9; flowbits:set,BoBo_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7746 BACKDOOR bobo 1.0 runtime detection - initial connection - flowbit set trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 4321 flow:to_server,established; flowbits:isset,BoBo_InitConnection; content:"zdorovo"; depth:7; metadata:policy security-ips drop; classtype:trojan-activity; 7747 BACKDOOR bobo 1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 4321 flow:to_server,established; content:"Send Message"; depth:12; flowbits:set,BoBo_SendMessages; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7748 BACKDOOR bobo 1.0 runtime detection - send message - flowbit set trojan-activity tcp $HOME_NET 4321 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,BoBo_SendMessages; content:"Message shown.|00|finish line|00|"; depth:27; metadata:policy security-ips drop; classtype:trojan-activity; 7749 BACKDOOR bobo 1.0 runtime detection - send message www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"*PASS*"; depth:6; flowbits:set,BuschTrommel_InitConnection1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7750 BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 1 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,BuschTrommel_InitConnection1; content:"ver"; depth:3; flowbits:set,BuschTrommel_InitConnection2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7751 BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,BuschTrommel_InitConnection2; content:"*VER1.22|28|REI|29|"; metadata:policy security-ips drop; classtype:trojan-activity; 7752 BACKDOOR buschtrommel 1.22 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=20757 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"GETIT"; depth:5; flowbits:set,BuschTrommel_SpyFunction1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7753 BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 1 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,BuschTrommel_SpyFunction1; content:"{PLTS}"; depth:6; flowbits:set,BuschTrommel_SpyFunction2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7754 BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,BuschTrommel_SpyFunction2; content:"{FTPL}"; depth:6; metadata:policy security-ips drop; classtype:trojan-activity; 7755 BACKDOOR buschtrommel 1.22 runtime detection - spy function www3.ca.com/securityadvisor/pest/pest.aspx?id=20757 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|F5 CB C9 CF C6 F5 C8 C8 CE C7 F5|"; depth:11; content:"|F5 D5 D1 D5 F5|"; distance:0; metadata:policy security-ips alert; classtype:trojan-activity; 7758 BACKDOOR glacier runtime detection - initial connection and directory browse www.symantec.com/avcenter/attack_sigs/s20302.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|F5 CA C7 C7 C6 F5 C8 C8 CE C7 F5|"; depth:11; metadata:policy security-ips alert; classtype:trojan-activity; 7759 BACKDOOR glacier runtime detection - screen capture www.symantec.com/avcenter/attack_sigs/s20302.html trojan-activity udp $HOME_NET any -> $EXTERNAL_NET any content:"|00 00 00 00 00 00 00 82|"; depth:8; offset:17; metadata:policy security-ips alert; classtype:trojan-activity; 7760 BACKDOOR netthief runtime detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=16078 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6767 flow:to_server,established; content:"|3B|ServicesStatus"; nocase; pcre:"/^\x3BServicesStatus\x3B(All|Active|Inactive)Services/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7763 BACKDOOR nt remote controller 2000 runtime detection - services client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6767 flow:to_server,established; content:"|3B|SystemInfo"; nocase; flowbits:set,NT_Remote_Controller_2000_Sysinfo1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7764 BACKDOOR nt remote controller 2000 runtime detection - sysinfo client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691 trojan-activity tcp $HOME_NET 6767 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NT_Remote_Controller_2000_Sysinfo1; content:"SystemInfo|3B|"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7765 BACKDOOR nt remote controller 2000 runtime detection - sysinfo server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6767 flow:to_server,established; content:"|3B|FolderMonitor"; nocase; flowbits:set,NT_Remote_Controller_2000_FolderMonitor; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7766 BACKDOOR nt remote controller 2000 runtime detection - foldermonitor client-to-server www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691 trojan-activity tcp $HOME_NET 6767 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NT_Remote_Controller_2000_FolderMonitor; content:"FolderMonitor|3B|"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7767 BACKDOOR nt remote controller 2000 runtime detection - foldermonitor server-to-client www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691 trojan-activity tcp $EXTERNAL_NET 877 -> $HOME_NET 876 flow:established; content:"getserverinfo|7C|"; depth:14; flowbits:set,Messiah_GetServerInfoA; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7770 BACKDOOR messiah 4.0 runtime detection - get server info - flowbit set trojan-activity tcp $HOME_NET 876 -> $EXTERNAL_NET 877 flow:to_server,established; flowbits:isset,Messiah_GetServerInfoA; content:"serverinformation|7C|"; depth:18; metadata:policy security-ips drop; classtype:trojan-activity; 7771 BACKDOOR messiah 4.0 runtime detection - get server info www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400 trojan-activity tcp $EXTERNAL_NET 877 -> $HOME_NET 876 flow:established; content:"enablekey|7C|"; depth:10; flowbits:set,Messiah_EnableKeyloggerA; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7772 BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set trojan-activity tcp $HOME_NET 876 -> $EXTERNAL_NET 877 flow:to_server,established; flowbits:isset,Messiah_EnableKeyloggerA; content:"kcaption|7C|"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; 7773 BACKDOOR messiah 4.0 runtime detection - enable keylogger www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400 trojan-activity tcp $EXTERNAL_NET 877 -> $HOME_NET 876 flow:established; content:"getscreen|7C|"; depth:10; flowbits:set,Messiah_ScreenCaptureA; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7774 BACKDOOR messiah 4.0 runtime detection - screen capture - flowbit set trojan-activity tcp $HOME_NET 876 -> $EXTERNAL_NET 877 flow:to_server,established; flowbits:isset,Messiah_ScreenCaptureA; content:"Downloadscreen|7C|"; depth:15; metadata:policy security-ips drop; classtype:trojan-activity; 7775 BACKDOOR messiah 4.0 runtime detection - screen capture www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 7080 flow:from_client,established; content:"GET///Drives**"; depth:14; flowbits:set,Messiah_GetDrives; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7776 BACKDOOR messiah 4.0 runtime detection - get drives - flowbit set trojan-activity tcp $HOME_NET 7080 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Messiah_GetDrives; content:"GET///Drives"; depth:12; metadata:policy security-ips drop; classtype:trojan-activity; 7777 BACKDOOR messiah 4.0 runtime detection - get drives www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|01|elfRAT|04|"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7778 BACKDOOR elfrat runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=55224 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"get_drives"; nocase; flowbits:set,NetDevil_FileManager; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7782 BACKDOOR netdevil runtime detection - file manager - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetDevil_FileManager; content:"get_drives_done"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7783 BACKDOOR netdevil runtime detection - file manager www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652 trojan-activity udp $HOME_NET any -> $EXTERNAL_NET any content:"RA Broadcast|00|"; depth:13; metadata:policy security-ips drop; classtype:trojan-activity; 7791 BACKDOOR remote anything 5.11.22 runtime detection - victim response www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440 trojan-activity udp $EXTERNAL_NET any -> $HOME_NET any content:"RA Chat|00 00|"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; 7792 BACKDOOR remote anything 5.11.22 runtime detection - chat with victim www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440 trojan-activity udp $HOME_NET any -> $EXTERNAL_NET any content:"RA Chat|00 00|"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; 7793 BACKDOOR remote anything 5.11.22 runtime detection - chat with attacker www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"updateinfo"; depth:10; nocase; flowbits:set,backdoor.fraggle.rock.2.0.lite.pc.info; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7794 BACKDOOR fraggle rock 2.0 lite runtime detection - pc info - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"ACS "; depth:4; flowbits:set,InCommand_17_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7795 BACKDOOR incommand 1.7 runtime detection - init connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,InCommand_17_InitConnection; content:"PASSOK"; metadata:policy security-ips drop; classtype:trojan-activity; 7796 BACKDOOR incommand 1.7 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=44730 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 148 flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7797 BACKDOOR incommand 1.7 runtime detection - file manage 1 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 148 flow:to_server,established; flowbits:isset,InCommand_17_FileManager_1; content:"PASS InClientMainPassword"; depth:25; metadata:policy security-ips drop; classtype:trojan-activity; 7798 BACKDOOR incommand 1.7 runtime detection - file manage 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=44730 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 9401 flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7799 BACKDOOR incommand 1.7 runtime detection - file manage 2 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 9401 flow:to_server,established; flowbits:isset,InCommand_17_FileManager_2; content:"PASS InClientMainPassword"; depth:25; metadata:policy security-ips drop; classtype:trojan-activity; 7800 BACKDOOR incommand 1.7 runtime detection - file manage 2 www3.ca.com/securityadvisor/pest/pest.aspx?id=44730 trojan-activity udp $EXTERNAL_NET 10220 -> $HOME_NET 10167 flow:to_server; content:"pod"; depth:3; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 7801 BACKDOOR portal of doom runtime detection - udp cts www3.ca.com/securityadvisor/pest/pest.aspx?id=4684 trojan-activity udp $HOME_NET 10167 -> $EXTERNAL_NET 10220 flow:to_client; content:"KeepAlive"; depth:9; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 7802 BACKDOOR portal of doom runtime detection - udp stc www3.ca.com/securityadvisor/pest/pest.aspx?id=4684 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 4201 flow:to_server,established; content:"text|3A|"; depth:5; metadata:policy security-ips drop; classtype:trojan-activity; 7803 BACKDOOR war trojan ver1.0 runtime detection - send messages www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 4201 flow:to_server,established; content:"disablectrlaltdel"; depth:17; metadata:policy security-ips drop; classtype:trojan-activity; 7804 BACKDOOR war trojan ver1.0 runtime detection - disable ctrl+alt+del www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/top100"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"webfringe"; nocase; http_header; metadata:policy security-ips drop; classtype:trojan-activity; 7805 BACKDOOR war trojan ver1.0 runtime detection - ie hijacker www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746 trojan-activity tcp $HOME_NET 6666 -> $EXTERNAL_NET any flow:from_server,established; content:"00000"; nocase; content:"-~-"; distance:0; nocase; pcre:"/^00000\s+-~-\s+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7806 BACKDOOR fatal wound 1.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6666 flow:to_server,established; content:"Execute -~-"; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7807 BACKDOOR fatal wound 1.0 runtime detection - execute file www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 6666 flow:to_server,established; content:"File Name -~-"; nocase; flowbits:set,fatalwound_upload; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7808 BACKDOOR fatal wound 1.0 runtime detection - upload www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104 trojan-activity tcp $HOME_NET 6666 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,fatalwound_upload; content:"Send File -~-"; metadata:policy security-ips drop; classtype:trojan-activity; 7809 BACKDOOR fatal wound 1.0 runtime detection - upload www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104 trojan-activity tcp $HOME_NET 23 -> $EXTERNAL_NET any flow:from_server,established; content:" |0D 0A|Vous etes connecte a|3A 0D 0A 0D 0A 00|"; flowbits:set,Abacab; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7811 BACKDOOR abacab runtime detection - telnet initial megasecurity.org/trojans/a/abacab/Abacab0.9beta.html trojan-activity tcp $HOME_NET 23 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Abacab; content:"|00| |23 23 23| |23 23 23| |23| __...--'' ___...--_..' .|3B|.' |3B 0D 0A|"; nocase; content:"CONNECTION|3A 0D 0A| |0D 0A|Veuillez entrer le mot de passe|0D 0A 00|"; distance:0; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7812 BACKDOOR abacab runtime detection - banner megasecurity.org/trojans/a/abacab/Abacab0.9beta.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|7C|55|7C|0|7C|0|7C 7C|"; depth:9; flowbits:set,darkmoon_initial_cts; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7813 BACKDOOR darkmoon initial connection detection - cts securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,darkmoon_initial_cts; content:"|7C|Connected"; depth:10; nocase; content:"with|3A|"; distance:0; nocase; pcre:"/^\x7CConnected with\x3A\s+\d+\x2E\d+.\d+.\d+/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7814 BACKDOOR darkmoon initial connection detection - stc securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"0^0^0^"; depth:6; flowbits:set,darkmoon_reverse_stc; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7815 BACKDOOR darkmoon reverse connection detection - stc securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,darkmoon_reverse_stc; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\x5E[^\r\n]*\d+\x2E\d+\x2E\d+\x2E\d+\x5E/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 7816 BACKDOOR darkmoon reverse connection detection - cts securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 146 flow:to_server,established; content:"FC "; depth:3; nocase; flowbits:set,back.infector.v1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 7817 BACKDOOR infector v1.0 runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657 trojan-activity tcp $HOME_NET 146 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,back.infector.v1.0.conn.1; content:"FC'S TROJAN"; depth:11; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7818 BACKDOOR infector v1.0 runtime detection - init conn www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 1111 flow:to_server,established; content:"|7C|"; depth:1; offset:3; pcre:"/^(?=[abchimoprswx])(acs|bin|c(ap|ls)|h(di|ms|tb)|iex|m(oo|tx|ws)|opn|pwr|rst|s(h[di]|ms|tb|wm)|wrd|xls)\x7C/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 7822 BACKDOOR xbkdr runtime detection www.megasecurity.org/trojans/x/x-bkdr/X-bkdr1.4.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/DataChunksGZ"; fast_pattern; nocase; http_uri; content:"update="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7823 SPYWARE-PUT Adware whenu runtime detection - datachunksgz www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ClockDB"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7824 SPYWARE-PUT Trickler whenu.clocksync runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"program=savenow"; fast_pattern; nocase; http_uri; content:"partner="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; 7825 SPYWARE-PUT Adware whenu.savenow runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/WthrPrefs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7826 SPYWARE-PUT Trickler whenu.weathercast runtime detection - check www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/SearchBar?"; fast_pattern; nocase; http_uri; content:"templ="; nocase; http_uri; content:"num="; nocase; http_uri; content:"app=desktop"; nocase; http_uri; content:"uiv="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"ctr="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"sgp="; nocase; http_uri; content:"stp="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"sid="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7827 SPYWARE-PUT Adware whenu runtime detection - search request 1 www3.ca.com/securityadvisor/pest/pest.aspx?id=453079971 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchb?"; nocase; http_uri; content:"datatype="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"app=desktop"; fast_pattern; nocase; http_uri; content:"ui="; nocase; http_uri; content:"srchtrig="; nocase; http_uri; content:"pat="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"type="; nocase; http_uri; content:"sid="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 7828 SPYWARE-PUT Adware whenu runtime detection - search request 2 www.spywareguide.com/product_show.php?id=2485 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| Gator"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 7829 SPYWARE-PUT Adware gator user-agent detected www3.ca.com/securityadvisor/pest/pest.aspx?id=453094092 trojan-activity tcp $HOME_NET 1174 -> $EXTERNAL_NET any flow:from_server,established; content:"lasd|0A|"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 7830 SPYWARE-PUT Botnet dacryptic runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=26162 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"guid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"update="; nocase; http_uri; content:"brand="; nocase; http_uri; content:"User-Agent|3A| Message Center"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; classtype:misc-activity; 7831 SPYWARE-PUT Adware downloadplus runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076008 misc-activity tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"/NetTracker/"; fast_pattern; nocase; http_uri; flowbits:set,NetTrack_Spy_ReportBrowsing; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; 7834 SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing misc-activity tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,NetTrack_Spy_ReportBrowsing; content:"NetTracker"; nocase; content:"Sane Solutions"; distance:0; nocase; metadata:policy security-ips alert; classtype:misc-activity; 7835 SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"NetTracker"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*NetTracker/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7836 SPYWARE-PUT Hacker-Tool nettracker runtime detection - report send through email www3.ca.com/securityadvisor/pest/pest.aspx?id=453080821 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"SpyOuTSiDe@CurrenTChaoS.Tk"; distance:0; nocase; pcre:"/^From\x3A\s+SpyOuTSiDe\x40CurrenTChaoS\x2ETk/smi"; content:"Subject|3A|"; nocase; content:"SpYOuTSiDe"; distance:0; nocase; content:"transmission"; distance:0; nocase; content:"with"; distance:0; nocase; content:"log"; distance:0; nocase; pcre:"/^Subject\x3A\s+\x5B\d+\x5D\x2D\s+SpYOuTSiDe\s+transmission\s+with\s+log\s+\x2D/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 7837 SPYWARE-PUT Keylogger spyoutside runtime detection - email delivery securityresponse.symantec.com/avcenter/venc/data/spyware.spyoutside.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/iframe.html"; nocase; http_uri; content:"bisFWB="; nocase; http_uri; content:"sPartnerID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"rand="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.smileycentral.com"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Esmileycentral\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7838 SPYWARE-PUT Adware smiley central runtime detection www.spywareguide.com/product_show.php?id=2181 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"RX Bar"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*RX Bar\s+(ver=)?/miH"; metadata:policy security-ips alert, service http; classtype:misc-activity; 7839 SPYWARE-PUT Hijacker rx toolbar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094367 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/404/update/instafinktb0302.cfg"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Visicom"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Visicom\s+Toolbar/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7840 SPYWARE-PUT Hijacker instafinder initial configuration detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090786 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/error2.asp"; http_uri; content:"err="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Einstafinder\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7841 SPYWARE-PUT Hijacker instafinder error redirect detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090786 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"dialup_vpn@hermangroup.org"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"dialupvpn_pwd"; distance:0; nocase; content:"name="; nocase; content:"reaction.txt"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*dialup\x5fvpn\x40hermangroup\x2Eorg.*Subject\x3a[^\r\n]*dialupvpn\x5fpwd.*name\x3d[^\r\n]*\x22reaction\x2Etxt\x22/smi"; metadata:policy security-ips drop; classtype:misc-activity; 7842 SPYWARE-PUT Hacker-Tool davps runtime detection www.megasecurity.org/trojans/d/davps/Davps1.0.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchresult/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.yoogee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eyoogee\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7843 SPYWARE-PUT Hijacker avenuemedia.dyfuca runtime detection - search engine hijack www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/conf/xml/"; nocase; http_uri; content:"ver="; nocase; content:"rid="; nocase; content:"cls="; nocase; content:"ser="; nocase; content:"signint="; nocase; content:"installt="; nocase; content:"rmods="; nocase; content:"mods="; nocase; content:"iea="; nocase; content:"speed="; nocase; content:"Host|3A|"; nocase; http_header; content:"www.internet-optimizer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Einternet-optimizer\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7844 SPYWARE-PUT Hijacker avenuemedia.dyfuca runtime detection - post data www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Keylogger"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Keylogger/smi"; flowbits:set,Clogger_SendLogOut1; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7845 SPYWARE-PUT Keylogger clogger 1.0 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,Clogger_SendLogOut1; content:"|23 23 23 23|"; nocase; content:"Fen|EA|tre |3A|"; distance:0; nocase; content:"|23 23 23 23|"; distance:0; nocase; pcre:"/\x23\x23\x23\x23\s+Fen\xeatre\s+\x3a[^\r\n]*\x23\x23\x23\x23/smi"; flowbits:set,Clogger_SendLogOut2; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 7846 SPYWARE-PUT Keylogger clogger 1.0 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,Clogger_SendLogOut2; content:"<----------- Fin du Fichier ----------- >"; fast_pattern:only; metadata:policy security-ips drop; classtype:successful-recon-limited; 7847 SPYWARE-PUT Keylogger clogger 1.0 runtime detection - send log through email www3.ca.com/securityadvisor/pest/pest.aspx?id=453068235 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.cfm"; nocase; http_uri; content:"action="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"Keywords="; nocase; content:"Host|3A|"; nocase; http_header; content:"netguide.grip.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*netguide\x2Egrip\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 7848 SPYWARE-PUT Hijacker netguide runtime detection castlecops.com/tk17754-CursorZone_Grip_Toolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar.exe"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"tb.freeprod.com"; nocase; http_header; content:"User-Agent|3A|"; nocase; http_header; content:"NSIS_DOWNLOAD"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*NSIS_DOWNLOAD.*Host\x3A[^\r\n]*tb\x2Efreeprod\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7849 SPYWARE-PUT Trickler maxsearch runtime detection - toolbar download www.spywareguide.com/product_show.php?id=2248 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/director/wtd.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7850 SPYWARE-PUT Trickler maxsearch runtime detection - retrieve command www.spywareguide.com/product_show.php?id=2248 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/director/ack.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"actionname="; nocase; http_uri; content:"action="; nocase; http_uri; content:"success="; nocase; http_uri; content:"debug="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7851 SPYWARE-PUT Trickler maxsearch runtime detection - ack www.spywareguide.com/product_show.php?id=2248 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pan/adlogbundle.php"; fast_pattern; nocase; http_uri; content:"bannerid="; nocase; http_uri; content:"zoneid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.adoptim.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eadoptim\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7852 SPYWARE-PUT Trickler maxsearch runtime detection - advertisement www.spywareguide.com/product_show.php?id=2248 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cp.php"; nocase; http_uri; content:"QoolShown-Popups|3A|"; nocase; content:"QoolShown-Popups-nt|3A|"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"stech.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*stech\x2Eweb-nexus\x2Enet/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7853 SPYWARE-PUT Adware web-nexus runtime detection - ad url 1 www.spywareguide.com/product_show.php?id=381 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cconfig.php"; nocase; http_uri; content:"Qool-Uptime|3A|"; nocase; http_header; content:"Win-Version|3A|"; nocase; http_header; content:"QoolIE-Version|3A|"; nocase; content:"Host|3A|"; nocase; http_header; content:"dl.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl\x2Eweb-nexus\x2Enet/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7854 SPYWARE-PUT Adware web-nexus runtime detection - config retrieval www.spywareguide.com/product_show.php?id=381 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/exclurls.php"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"cid="; nocase; http_uri; content:"eus="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dl.web-nexus.net"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl\x2Eweb-nexus\x2Enet/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 7855 SPYWARE-PUT Adware web-nexus runtime detection - ad url 2 www.spywareguide.com/product_show.php?id=381 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"<logs@logs.com>"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x3Clogs\x40logs\x2Ecom\x3E/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 7857 SPYWARE-PUT Keylogger EliteKeylogger runtime detection www.spywareguide.com/product_show.php?id=814 attempted-dos 2006-3122 udp $HOME_NET any -> $HOME_NET 67 flow:to_server; content:"c|82|Sc"; content:"= "; distance:0; metadata:policy security-ips drop; classtype:attempted-dos; 8056 DOS ISC DHCP server 2 client_id length denial of service attempt www.debian.org/security/2006/dsa-1143 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.asp"; nocase; http_uri; content:"group=autosearch"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searches.worldtostart.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*searches\x2Eworldtostart\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 8071 SPYWARE-PUT Hijacker findthewebsiteyouneed runtime detection - search hijack www3.ca.com/securityadvisor/pest/pest.aspx?id=453098705 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/1.asp"; nocase; http_uri; content:"r_t="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.internetadvertisingcompany.biz"; nocase; http_header; content:"keyword="; nocase; content:"url="; distance:0; nocase; content:"www%2efindthewebsiteyouneed%2ecom"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Einternetadvertisingcompany\x2Ebiz/smiH"; pcre:"/keyword\x3d[^\r\n]*url\x3d[^\r\n]*www\x252efindthewebsiteyouneed\x252ecom/smi"; metadata:policy security-ips alert; classtype:misc-activity; 8072 SPYWARE-PUT Hijacker findthewebsiteyouneed runtime detection - surf monitor www3.ca.com/securityadvisor/pest/pest.aspx?id=453098705 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/smartoffers/so.aspx"; fast_pattern; nocase; http_uri; content:"svc="; nocase; http_uri; content:"opener=rm_zango"; nocase; http_uri; content:"kw="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"resultsmaster.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*resultsmaster\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 8073 SPYWARE-PUT Adware zango toolbar runtime detection www.spywareguide.com/product_show.php?id=2298 trojan-activity tcp $HOME_NET 1327 -> $EXTERNAL_NET any flow:from_server,established; content:"|CE DE B7 A8 B4 F2 BF AA B5 BD D6 F7 BB FA B5 C4 C1 AC BD D3| |D4 DA B6 CB BF DA| 1327 |3A| |C1 AC BD D3 CA A7 B0 DC|"; depth:43; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 8074 BACKDOOR mithril runtime detection - init connection www.megasecurity.org/trojans/m/mithril/Mithril1.45.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1327 flow:to_server,established; content:"sysinfo|0A|"; depth:8; nocase; flowbits:set,Mithril_GetSystemInformation; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 8075 BACKDOOR mithril runtime detection - get system information www.megasecurity.org/trojans/m/mithril/Mithril1.45.html trojan-activity tcp $HOME_NET 1327 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Mithril_GetSystemInformation; content:"|BC C6 CB E3 BB FA C3 FB A3 BA|"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 8076 BACKDOOR mithril runtime detection - get system information www.megasecurity.org/trojans/m/mithril/Mithril1.45.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1327 flow:to_server,established; content:"pslist|0A|"; depth:7; nocase; flowbits:set,Mithril_GetProcessList; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 8077 BACKDOOR mithril runtime detection - get process list www.megasecurity.org/trojans/m/mithril/Mithril1.45.html trojan-activity tcp $HOME_NET 1327 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Mithril_GetProcessList; content:"|BD F8 B3 CC|ID|BA C5 A3 BA| "; depth:20; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 8078 BACKDOOR mithril runtime detection - get process list www.megasecurity.org/trojans/m/mithril/Mithril1.45.html trojan-activity tcp $HOME_NET 2421 -> $EXTERNAL_NET any flow:from_server,established; content:"connected"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; 8079 BACKDOOR x2a runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/app.txt"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"x-2.gq.nu"; nocase; http_header; metadata:policy security-ips drop; classtype:trojan-activity; 8080 BACKDOOR x2a runtime detection - client update www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136 19951 misc-activity 2006-0001 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"CHNKINK "; metadata:policy security-ips drop; classtype:misc-activity; 8350 WEB-CLIENT pub file download www.microsoft.com/technet/security/bulletin/ms06-054.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/rep/pop/pop_"; nocase; http_uri; content:"ad_soft_type="; nocase; http_uri; content:"ad_mid="; nocase; http_uri; content:"ad_type="; nocase; http_uri; content:"dm_source="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"corep.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*corep\x2Edmcast\x2Ecom/smiH"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 8352 SPYWARE-PUT Adware desktopmedia runtime detection - ads popup www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/script/update.asp"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"ownerversion="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dcww.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smiH"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 8353 SPYWARE-PUT Adware desktopmedia runtime detection - auto update www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/script/judge/judge.html"; fast_pattern; nocase; http_uri; content:"mid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cojud.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smiH"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 8354 SPYWARE-PUT Adware desktopmedia runtime detection - surf monitoring www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"SpyBuddy"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*SpyBuddy/smi"; flowbits:set,SpyBuddy_SMTP; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 8355 SPYWARE-PUT Keylogger spybuddy 3.72 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy"; nocase; content:"Activity"; distance:0; nocase; content:"Logs"; distance:0; pcre:"/^SpyBuddy\s+Activity\s+Logs/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 8356 SPYWARE-PUT Keylogger spybuddy 3.72 runtime detection - send log out through email www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy"; nocase; content:"Alert"; distance:0; nocase; pcre:"/^SpyBuddy\s+Alert/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:successful-recon-limited; 8357 SPYWARE-PUT Keylogger spybuddy 3.72 runtime detection - send alert out through email www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/related_bottom_v2.php"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"No="; http_uri; content:"Host|3A|"; nocase; content:"related.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:misc-activity; 8359 SPYWARE-PUT Hijacker yok supersearch runtime detection - target website display research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stat.htm"; nocase; http_uri; content:"id="; nocase; http_uri; content:"repeatip="; nocase; http_uri; content:"Host|3A| count.yok.com"; fast_pattern:only; metadata:policy security-ips alert; classtype:misc-activity; 8360 SPYWARE-PUT Hijacker yok supersearch runtime detection - search info collect research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; dsize:<50; content:"0^0^0^"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 8361 BACKDOOR black curse 4.0 runtime detection - inverse init connection www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; dsize:<50; content:"|7C|48|7C|0|7C|0|7C|"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 8362 BACKDOOR black curse 4.0 runtime detection - normal init connection www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html 20096 attempted-user 2006-4868 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|3A|fill"; nocase; content:"method"; distance:0; nocase; pcre:"/<\w+\x3afill\s[^>]*method\s*=\s*(\x27[^\x27]{32}|\x22[^\x22]{32}|[^\s>]{32})/smi"; metadata:policy security-ips drop; classtype:attempted-user; 8416 WEB-CLIENT VML fill method overflow attempt www.microsoft.com/technet/security/bulletin/ms06-055.mspx misc-activity 2006-4692 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"{|5C|rtf"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; metadata:policy security-ips drop; classtype:misc-activity; 8445 WEB-CLIENT RTF file with embedded object package download attempt www.microsoft.com/technet/security/bulletin/ms06-065.mspx successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ddd2/report_userinfo.asp"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ddduser.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ddduser\x2Edudu\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 8461 SPYWARE-PUT Trackware duduaccelerator runtime detection - send userinfo www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/rep/dlinfo.html"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"page="; nocase; http_uri; content:"product="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddrep.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddrep\x2Edudu\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 8462 SPYWARE-PUT Trackware duduaccelerator runtime detection - trace info downloaded www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/login_cn.html"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddlogin.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddlogin\x2Edudu\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 8463 SPYWARE-PUT Trackware duduaccelerator runtime detection - trace login info www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/hap/adserver.aspx"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"distributorid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AD"; nocase; http_header; content:"Request"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"wwws.henbang.net"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AD[^\r\n]*Request/smiH"; pcre:"/^Host\x3a[^\r\n]*wwws\x2Ehenbang\x2Enet/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 8464 SPYWARE-PUT Adware henbang runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094312 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"NETObserve"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*NETObserve/smi"; flowbits:set,NETObserve_SMTP; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 8465 SPYWARE-PUT Keylogger netobserve runtime detection - email notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,NETObserve_SMTP; content:"NETObserve"; nocase; content:"Requested"; distance:0; nocase; content:"Information"; distance:0; nocase; pcre:"/^NETObserve\s+Requested\s+Information/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 8466 SPYWARE-PUT Keylogger netobserve runtime detection - email notification www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490 successful-recon-limited tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any flow:established,from_server; content:"Server|3A|"; nocase; http_header; content:"NETObserve"; nocase; http_header; pcre:"/^Server\x3a[^\r\n]*NETObserve/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 8467 SPYWARE-PUT Keylogger netobserve runtime detection - remote login response www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/soap"; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.accoona.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eaccoona\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 8468 SPYWARE-PUT Hijacker accoona runtime detection - collect info www3.ca.com/securityadvisor/pest/pest.aspx?id=453096478 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search_assistant/accoona_search_assistant.jsp"; http_uri; content:"utm_id="; nocase; http_uri; content:"utm_content="; nocase; http_uri; content:"utm_source="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.accoona.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eaccoona\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 8469 SPYWARE-PUT Hijacker accoona runtime detection - open sidebar search url www3.ca.com/securityadvisor/pest/pest.aspx?id=453096478 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/requestimpression.aspx"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"host="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.dxcdirect.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*media\x2Edxcdirect\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:successful-recon-limited; 8542 SPYWARE-PUT Trackware deluxecommunications runtime detection - collect info www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ip"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"pck_id="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"info="; nocase; http_uri; content:"link="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.dxcdirect.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*media\x2Edxcdirect\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:successful-recon-limited; 8543 SPYWARE-PUT Trackware deluxecommunications runtime detection - display popup ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|7C|roogoo|7C|"; fast_pattern:only; pcre:"/^\x23\d+\x7c([0-9A-E]{2}\x2d){5}[0-9A-E]{2}\x7croogoo\x7c/smi"; metadata:policy security-ips alert; classtype:misc-activity; 8545 SPYWARE-PUT Adware roogoo runtime detection - surfing monitor www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/show/"; nocase; http_uri; content:"VER="; nocase; http_uri; content:"AdID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"SURL="; nocase; http_uri; content:"Host="; nocase; http_uri; content:"ConditionID="; nocase; http_uri; content:"HostJ"; nocase; content:"show.roogoo.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*show\x2Eroogoo\x2Ecom/smi"; metadata:policy security-ips drop; classtype:misc-activity; 8546 SPYWARE-PUT Adware roogoo runtime detection - show ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966 trojan-activity tcp $HOME_NET 4000 -> $EXTERNAL_NET any flow:from_server,established; content:"Connected"; depth:9; nocase; content:"to"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^Connected\s+to\s+Server\s+at\x3a/smi"; flowbits:set,Backdoor.ZZMM.InitConnect; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 8547 BACKDOOR zzmm 2.0 runtime detection - init connection trojan-activity tcp $HOME_NET 4000 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Backdoor.ZZMM.InitConnect; content:"Attached"; nocase; content:"through"; distance:0; nocase; content:"port"; distance:0; nocase; pcre:"/^Attached\s+through\s+port\x3a/smi"; metadata:policy security-ips drop; classtype:trojan-activity; 8548 BACKDOOR zzmm 2.0 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453054345 trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"[zxconfig]"; nocase; content:"MyIP="; nocase; content:"Port="; nocase; content:"Password="; nocase; content:"Banner="; nocase; content:"BackConnect="; nocase; content:"ServerID="; nocase; content:"LocalPort="; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 8549 BACKDOOR zxshell runtime detection - setting information retrieve www3.ca.com/securityadvisor/pest/pest.aspx?id=453081617 870 attempted-dos 2001-0752 icmp $EXTERNAL_NET any -> $HOME_NET any ipopts:rr; icode:0; itype:8; metadata:policy security-ips drop; classtype:attempted-dos; 8730 DOS record route rr denial of service attempt misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"MZ|90 00|"; byte_jump:4,56,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,exe.download; flowbits:noalert; metadata:service http; classtype:misc-activity; 915306 WEB-CLIENT Portable Executable binary file transfer policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server,established; content:"JVBERi0x"; flowbits:set,email.pdf; flowbits:noalert; metadata:service smtp; classtype:policy-violation; 915361 POLICY pdf file sent via email trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|0A 08|P|D8|{|18|0|D8 D8 18|Py80|D8|P|18 0A 08|P|D8|{@0@0y8P|18|0|B8 0A|`|00 10 0A|8 {hP|D8|y8P|18|0"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9339 SPECIFIC-THREATS klez.g web propagation detection www.sophos.com/virusinfo/analyses/w32klezg.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"E|5C 05|]d|9E|Z<s-d1`/d0j3d3q4k2ank-v.k/`.k.f5kn7.d+r4v>d3cpv|29|cpu/e|E6|"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9340 SPECIFIC-THREATS klez.i web propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=11837 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9346 SPECIFIC-THREATS klez.b web propagation detection www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 139 flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9347 SPECIFIC-THREATS klez.b netshare propagation detection www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 139 flow:to_server,established; content:"M|D5 15 80 85 D9 1C 92|zE|3B|iy|C7|2|97|8|14|/8q|1B DA|^R|DA 15|- A|80|T|BC|EJ|A3 C1 AD 8F|+ya|D9 1B|e|A3|B5|29 BB EE EE C3 D9 15 B3|U|B7 B4|os|3A AF|?|87|s|05 CE E7|rC/{|80|^r|F6|@yY|05 BC|f|83 F8 90 AF 17|d|15 24 83|i|9B 06 A6|H<|A6|H|15 99 22 DA E6 C0 E5|2E|E5|2A|B5 C2|+|5C 90|Za|F8|[|92|@L |FE|0|90|W|01 FC E5|^|DE BF FF FF E9 F7 CF|<|F9 F3 EF|"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9351 SPECIFIC-THREATS lovgate.a netshare propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"0@|00 0A 00 00 00|SV|8B|5|A8| @|00|W|8D|E|F0|j|0A|P|FF|5|28|0@|00 FF D6 8B|]|08 8D|E|F0|PS|E8 9D 08 00 00 BF|L0@|00|WS|E8 8B 08 00 00 8D|E|F0|j|0A|P|FF|5|D0|2@|00 FF D6 8D|E|F0|PS|E8|s|08 00 00|WS|E8|l|08 00 00 8D|E|F0|j|0A|P|FF|5|D4|2@|00 FF D6 83 C4|D|8D|E|F0|PS|E8|Q|08 00 00|WS|E8|J|08 00 00 8D|E|F0|j|0A|P|FF|5"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9353 SPECIFIC-THREATS deborm.x netshare propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.X trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"|B7 D6 B6 3B|?X4|00|h|94|[h|8F B3 B3|u@|80|*|0C|F|05 29 B3|=|CE|J|19|8V|EF 1E 10|n|90 9A|1|08 08|^X|A0 3A B6 D7|Kn^d|FE 85|h|9D|%|18|d|B7 E0|n|83 BD|x|0C|Lw|9E|`|FD|%Yr+?4|FC|y|24 07 F6 A3|Y|A4 C4|`|FD B6 06 C9 03|d|FE F3|d|8E 91 C6 DE|O|9C|jP[|90 AF 91|j|BA|{|C6|p|13 C4 8A 80 10 8B|@|0C|w|AB D5|P|FF 96|w|C2 10 04|"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9354 SPECIFIC-THREATS deborm.y netshare propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.Y trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"|A3|Hp@|00 81|=Hp@|00 F0 00 00 00|~|0A C7 05|Hp@|00 0A 00 00 00|j|0A 8D|M|F0|Q|8B 15|Hp@|00|R|E8 E1|L|00 00 83 C4 0C 8D|E|F0|P|8B|M|08|Q|E8 DB 0D 00 00 83 C4 08|hlp@|00 8B|U|08|R|E8 DA 0D 00 00 83 C4 08|j|0A 8D|E|F0|P|8B 0D 90|{@|00|Q|E8 AB|L|00 00 83 C4 0C 8D|U|F0|R|8B|E|08|P|E8 B5 0D 00 00 83 C4 08|hpp@|00 8B|M|08|Q|E8|"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9355 SPECIFIC-THREATS deborm.u netshare propagation detection www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.U trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"|AB B4|+|F6 04 19 B8 9F CB|t|24|HpR|04 A6 8E|R|17 B1 7F 8A 1E|z|12 8C B8 0C|aVM|81 7C|0|AC|8|BA B5 EE 1A|B|9B|a*xe@|D1|q8|22|T|B7|.`|11 E0|iQ}|C7 CA C1 81 D9|i|B7 A4|C|BE|0|23|2X|9A DF 5C 3B|v|12 CC| |80 AD 7C|cT|19|.|AE|!|8E F8 84|R|F5|1n|D7 1B|8|E8 B0|<U1F|BE B7 16 8B 89 17|Z2|B0 ED|%ED|C4 07 8B B6 CF 92 B2 22|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9356 SPECIFIC-THREATS deborm.q netshare propagation detection www.sophos.com/security/analyses/w32debormq.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"=X|A2|/|EF D1 BD C2 EB|0|5C 98|U|1A 08|c|AE|0|F1 06 C4 0B|m|D2 84|W|08|Z/|AD 02 0D|t|12|/|DA D7|>|C6|<|B2 DD 85 18 CF|,1j|8A F0 CF|Z|A4|`|87 D4|NP|89|@|F2 14 23 B8|R9|BF 0C B6 84|f|29 BA 02 0D F0 1D F6 B6|5C|04|n|99 10 BE 1D|j|0A DF 9A|P|BC CE DC C0|R9FlPT|BD CF|f|D4 CF F7|b|99 DD 8A 00 F0 E9 14|~b|9B EF C4 0C 24 96|,|14 89 D7|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9357 SPECIFIC-THREATS deborm.r netshare propagation detection www.sophos.com/security/analyses/w32debormr.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"agzyrywelb@igdupgdu.fgs|00|klgfp@yswma.fgs.fd|00|pyaab@igdupgdu.fgs|00|rywelb@163.fgs|00|bwdbwd@yswma.fgs.fd|00|ca1980@163.fgs|00|lmlm@igdupgdu.fgs|00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9363 SPECIFIC-THREATS klez.d web propagation detection www.sophos.com/security/analyses/w32klezd.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"|F2 99 00 00 03|+|16|-|A8 90 BA 8A 9A 29|0PH|80|@8` Z|00 08 80|+|A0 80 00 00|X|29|h|00|H`|E8|Z0P@Zhp+|E0| |E0| |29 90 18|0Z0P@Z|88 90|+ |88|P|F8 29 BA E2 A2 A2|ZX|00 88|+ X|88|`|29|h|00|H`|E8|Z0P@Zhp+|10 B8| |A8|h|29|h|00|H`|E8|Z0P@Zhp+|B0 88 B8 00 00 88 29 98 00 B8|`|F8|PXZ"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9364 SPECIFIC-THREATS klez.e web propagation detection www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"1|03|3-|3B|+|B5 23|!|03 E9 0B 03 23 23|5i9|23|1|3B 19 B5|/73|B5|9?|E9 1B|+|1B|+i|07|%/|B5|/73|B5 01 07 E9|+|01|7|1D|i|8D 9B 8B 8B B5|5|23 01 E9|+5|01 3B|i9|23|1|3B 19 B5|/73|B5|9?|E9|'|0D|+|09|9i9|23|1|3B 19 B5|/73|B5|9?|E9 0F 01 0D 23 23 01|i|05 23 0D 3B 1D|75|B5|5|23 01 E9 0F|+5|3B|i|8D 9B 8B 8B B5|5|23 01 E9|=+?|1B|i|01 23 0D 0D|+|B5 23 0F E9|"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9387 SPECIFIC-THREATS klez.j web propagation detection www.spywareguide.com/product_show.php?id=376 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"E|F4 00 00 00 00 8B 8D E8 FB FF FF 89|M|F0 EB 09 FF 15|dsB|00 89|E|F4 83|}|F0 00|uy|83|}|F4 00|t,|83|}|F4 05|u|15 C7 05|DVB|00 09 00 00 00 8B|U|F4 89 15|HVB|00 EB 0C 8B|E|F4|P|E8|*I|00 00 83 C4 04 83 C8 FF EB|P|8B|M|08 C1 F9 05 8B|U|08 83 E2 1F 8B 04 8D|@nB|00 0F BE|L|D0 04 83 E1|@|85 C9|t|0F 8B|U|0C 0F BE 02 83 F8 1A|u|04|3|C0 EB 22 C7 05|DVB|00 1C 00 00 00 C7 05|HVB|00 00 00 00 00 83 C8 FF EB 09 8B|E|F0|+|85 E0 FB|"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9390 SPECIFIC-THREATS deborm.d netshare propagation detection www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=30322 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"@|00|@|3B C7|v|F5|AA|80|9|00|u|D4 FF|E|FC 83 C3 08 83|}|FC 04|r|C1 8B|E|08 C7 05 5C|}@|00 01 00 00 00|P|A3|L}@|00 E8 C6 00 00 00 8D B6 EC|x@|00 BF|P}@|00 A5 A5|Y|A3|d|7F|@|00 A5 EB|UAA|80|y|FF 00 0F 85|H|FF FF FF|j|01|X|80 88|a~@|00 08|@=|FF 00 00 00|r|F1|V|E8 8C 00 00 00|Y|A3|d|7F|@|00 C7 05 5C|}@|00 01 00 00 00 EB 06 89 1D 5C|}@|00|3|C0 BF|P}@|00 AB AB AB EB 0D|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9395 SPECIFIC-THREATS deborm.j netshare propagation detection www3.cai.com/securityadvisor/virusinfo/virus.aspx?ID=30328 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 445 flow:to_server,established; content:"C|80 EA 01 A1 EC|GB|00 8B|H|10 88|QC|8B 15 EC|GB|00 8B|B|10 0F BE|HC|85 C9|u|14 8B 15 EC|GB|00 8B|B|04 24 FE 8B 0D EC|GB|00 89|A|04 8B 15 EC|GB|00 83|z|08 FF 0F 85 92 00 00 00|h|00 80 00 00|j|00 A1 EC|GB|00 8B|H|0C|Q|FF 15 1C|cB|00 8B 15 EC|GB|00 8B|B|10|Pj|00 8B 0D E4|]B|00|Q|FF 15|4cB|00 8B 15 F0|GB|00|k|D2 14 A1 F4|GB|00 03 C2 8B 0D EC|GB|00 83 C1 14|+|C1|P|8B 15 EC|GB|00 83 C2 14|R|A1 EC|GB|00|P|E8|Z%|00 00 83 C4 0C 8B 0D F0|GB|00 83 E9 01 89 0D F0|GB|00 8B|U|08 3B 15 EC|GB|00|v"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9396 SPECIFIC-THREATS deborm.t netshare propagation detection www.viruslist.com/en/viruses/encyclopedia?virusid=24669 trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|0B|Bp|D6|p|00 C2 91 C5 83 DE 3B 08 C9| Ll|F8|l|18 F0 80|K!|89|.*|B0 AC 0C C8 08 88 93 E4|d1%7|DF BA 84 3A 3B|,|02 0C E7|,,8|80 D1 24 B1|j|10 D4 E0 E8|>B|C1 29 D3|I|F7 D8 1B C0 05 96 A4 D6 03 01 AE 7C 91 0F 9D A5 BA 95|F|8D 02|'n|99 8F E0 15 98 A0|j|FF FD BE|G|BE B3 EC A3 E1 17 C4|h|DC 3A|f|B8 02 F9 0E 81 CE E2 1B E4 10 13 C8 E7 E3 0C 3B E4 0C C6 01|`6h|D3|h|C0 98 99 87 8C 3B|V|D3|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9401 SPECIFIC-THREATS gokar http propagation detectiot www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=10606 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 139 flow:to_server,established; content:"|F7|F|DA C4|D|22|A|AB E6 0D AA 10 17 A5 9F|=|90 B6|D7|AD F6 EE|UN|E5 17|rx|B7|v|E1 94 C7 8C|Q9y|A1 D9 C9|wL|E2 94|Q|7C 0F|6QA6|02|Y|D4 D2 B0 C9|k|C5|r|B9|m|81 DE|'|08 D8 DB 1B A4 99 AC EB 08 BD A7 24|G|8C BC 07 0D E5 06 7F|3|80 0A|T3|90|B|7F 0F|V|95|m|0D 16|g|0A|Y|CB CF 18 FF CB CA|Z|01|_|DE|Z52|0C|Y|CE|Y|1F|&|8C|W|B0 14|u|5C 88 B1 B0 EB C3|<|84 B4|h|D4|>|B8 1E 0F A6|~"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9407 SPECIFIC-THREATS lovgate.b netshare propagation detection www.symantec.com/security_response/writeup.jsp?docid=2003-021922-4852-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 1863 flow:to_server,established; content:"Application-File|3A| smb.exe"; nocase; content:"Application-FileSize|3A| 163840"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9412 SPECIFIC-THREATS sinmsn.b msn propagation detection www.viruslist.com/en/viruses/encyclopedia?virusid=23776 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/1.php?p="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"beagle_beagle"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*beagle_beagle/smiH"; metadata:impact_flag red, policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9418 BOTNET-CNC bagle.a http notification detection www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2 10108 trojan-activity 2003-0533 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; content:"|EC 03 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9419 SPECIFIC-THREATS sasser attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 10108 trojan-activity 2003-0533 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; content:"|AD 0D 00 00|"; metadata:policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9420 SPECIFIC-THREATS korgo attempt 12205 www.microsoft.com/technet/security/bulletin/MS04-011.mspx 14513 trojan-activity 2005-1983 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:54; dce_stub_data; content:"|C0 07 00 00 00 00 00 00|"; metadata:policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9421 SPECIFIC-THREATS zotob attempt www.microsoft.com/technet/security/bulletin/ms05-039.mspx 8205 trojan-activity 2003-0352 tcp $EXTERNAL_NET any -> $HOME_NET 135 flow:established,to_server; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; content:"|9D 13 00 01|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9422 SPECIFIC-THREATS msblast attempt www.microsoft.com/technet/security/bulletin/MS03-026.asp 8205 trojan-activity 2003-0352 tcp $EXTERNAL_NET any -> $HOME_NET 135 flow:established,to_server; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; content:"|9F|u|18 00|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9423 SPECIFIC-THREATS lovegate attempt www.microsoft.com/technet/security/bulletin/MS03-026.asp trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 139 flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,&,2,28,little,relative; content:"|5C 00|w|00|i|00|n|00|n|00|t|00 5C 00|e|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|.|00|e|00|x|00|e|00 00 00|"; within:41; distance:51; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9424 SPECIFIC-THREATS /winnt/explorer.exe unicode klez infection attempt attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"OsrkDtNPNg9Xj38hSOB7pKSR+RzaaUnt5GIvg8wXTYQPiLhBPWmLUXYLSN2KDpF0AWHCd8Po"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; classtype:trojan-activity; 9425 SPECIFIC-THREATS netsky attachment trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"Received message is available at"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity; 9426 SPECIFIC-THREATS mydoom.ap attachment 20744 attempted-user 2006-5567 tcp $EXTERNAL_NET [80,5190,8090] -> $HOME_NET any flow:to_client,established; content:"Ultravox-Max-Msg|3A|"; nocase; byte_test:10,>,65535,0,relative,string; metadata:policy security-ips drop; classtype:attempted-user; 9434 WEB-CLIENT Ultravox-Max-Msg header integer overflow attempt www.winamp.com/player/version_history.php 20978 attempted-user 2006-5864 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"%%DocumentMedia|3A|"; nocase; isdataat:257,relative; content:!"|0A|"; within:257; metadata:policy security-ips drop; classtype:attempted-user; 9619 WEB-CLIENT Gnu gv buffer overflow attempt attempted-user 2006-2386 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:policy security-ips drop; classtype:attempted-user; 9639 WEB-CLIENT Windows Address Book download attempt www.microsoft.com/technet/security/bulletin/ms06-076.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bho/ibho.php"; fast_pattern; nocase; http_uri; content:"add="; nocase; http_uri; content:"hdid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"modid="; nocase; http_uri; metadata:policy security-ips alert; classtype:misc-activity; 9644 SPYWARE-PUT Adware imnames runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453100875 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/web"; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esogou\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 9646 SPYWARE-PUT Hijacker sogou runtime detection - search through sogou toolbar www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"System"; distance:0; nocase; content:"Surveillance"; distance:0; nocase; content:"Log"; distance:0; nocase; content:"Open"; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; content:"import"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*System\s+Surveillance\s+Log/smi"; pcre:"/^Open\s+log\s+file\s+to\s+import/smi"; metadata:policy security-ips drop; classtype:successful-recon-limited; 9647 SPYWARE-PUT Keylogger system surveillance pro runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098658 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-FILTERED-BY-GHOST|3A|"; fast_pattern:only; content:"1"; pcre:"/^X-FILTERED-BY-GHOST\x3a[^\r\n]*1/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 9648 SPYWARE-PUT Keylogger emailspypro runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453083347 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"|23|"; nocase; content:"Ghost"; distance:0; nocase; content:"keylogger"; distance:0; nocase; content:"has"; distance:0; nocase; content:"started"; distance:0; nocase; pcre:"/^\x23\s+Ghost\s+Keylogger\s+has\s+started\x2E/smi"; flowbits:set,ghost_keylogger_start; flowbits:noalert; metadata:policy security-ips drop; classtype:successful-recon-limited; 9649 SPYWARE-PUT Keylogger ghost Keylogger runtime detection - flowbit set www3.ca.com/securityadvisor/pest/pest.aspx?id=70892 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,ghost_keylogger_start; content:"[Static"; nocase; content:"Text]"; distance:0; nocase; pcre:"/^\s*\x5BStatic\s+Text\x5D/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 9650 SPYWARE-PUT Keylogger ghost Keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=70892 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/banner/banner.asp"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ricercadoppia.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ericercadoppia\x2Ecom/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 9651 SPYWARE-PUT Hijacker ricercadoppia runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098730 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/bar/"; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"app="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.oemji.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eoemji\x2Ecom/smiH"; metadata:policy security-ips alert; classtype:misc-activity; 9652 SPYWARE-PUT Hijacker oemji bar runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"?&sesion="; nocase; flowbits:set,Backdoor.Apofis.Remotecontrol; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9654 BACKDOOR apofis 1.0 runtime detection - remote controlling trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Backdoor.Apofis.Remotecontrol; content:"Troyano"; nocase; content:"Apofis"; distance:0; nocase; pcre:"/Troyano\s+Apofis\s+1\x2E0/smi"; metadata:policy security-ips alert; classtype:trojan-activity; 9655 BACKDOOR apofis 1.0 runtime detection - remote controlling www.megasecurity.org/trojans/a/apofis/Apofis1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|24|[version]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9656 BACKDOOR bersek 1.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 9657 BACKDOOR bersek 1.0 runtime detection - init connection www.megasecurity.org/trojans/b/bersek/Bersek1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|24|[showuni]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Filemanager; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9658 BACKDOOR bersek 1.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Backdoor.Bersek.Filemanager; content:"|23|[showuni]"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9659 BACKDOOR bersek 1.0 runtime detection - file manage www.megasecurity.org/trojans/b/bersek/Bersek1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|24|[proclst]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Showprocesses; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9660 BACKDOOR bersek 1.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Backdoor.Bersek.Showprocesses; content:"|23|[shwproc]"; depth:10; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9661 BACKDOOR bersek 1.0 runtime detection - show processes www.megasecurity.org/trojans/b/bersek/Bersek1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"|24|[shellgo]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Remoteshell; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9662 BACKDOOR bersek 1.0 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Backdoor.Bersek.Remoteshell; content:"|23|[shellrs]"; depth:10; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 9663 BACKDOOR bersek 1.0 runtime detection - start remote shell www.megasecurity.org/trojans/b/bersek/Bersek1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; content:"SrvDtl"; depth:6; nocase; flowbits:set,Backdoor.Crossbow.Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9664 BACKDOOR crossbow 1.12 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Backdoor.Crossbow.Init; content:"SrvDtl|7C|"; depth:7; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9665 BACKDOOR crossbow 1.12 runtime detection - init connection www.megasecurity.org/trojans/c/crossbow/Crossbow1.12.html trojan-activity tcp $HOME_NET 16454 -> $EXTERNAL_NET any flow:from_server,established; content:"{|05 00 00|"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; 9666 BACKDOOR superra runtime detection - success init connection trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 16454 flow:to_server,established; content:"|05 00 00|"; depth:3; offset:1; metadata:policy security-ips alert; classtype:trojan-activity; 9667 BACKDOOR superra runtime detection - issue remote control command successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Supreme"; distance:0; nocase; content:"Spy"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Supreme\s+Spy/smi"; metadata:policy security-ips alert; classtype:successful-recon-limited; 9830 SPYWARE-PUT Keylogger supreme spy runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097729 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"friendlink="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.u88.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eu88\x2Ecn/smiH"; metadata:policy security-ips drop; classtype:misc-activity; 9831 SPYWARE-PUT Adware u88 runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Adware.U88&threatid=46383 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1254 flow:to_server,established; content:"ASKGAY"; depth:6; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9832 BACKDOOR ieva 1.0 runtime detection - send message www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1254 flow:to_server,established; content:"DELEHARD"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9833 BACKDOOR ieva 1.0 runtime detection - fake delete harddisk message www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1254 flow:to_server,established; content:"BLACK"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9834 BACKDOOR ieva 1.0 runtime detection - black screen www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1254 flow:to_server,established; content:"OTHER"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9835 BACKDOOR ieva 1.0 runtime detection - swap mouse www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1254 flow:to_server,established; content:"MOUSE"; depth:5; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9836 BACKDOOR ieva 1.0 runtime detection - crazy mouse www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|FF 01 01 01 80 00 00 00|"; depth:8; nocase; flowbits:set,Backdoor.SunShadow.Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; 9837 BACKDOOR sun shadow 1.70 runtime detection - init connection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Backdoor.SunShadow.Init; content:"|FF 01 01 03 00 00 00 00|"; depth:8; nocase; metadata:policy security-ips drop; classtype:trojan-activity; 9838 BACKDOOR sun shadow 1.70 runtime detection - init connection www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"|FF 01 03 03 00 00 00 00|"; depth:8; nocase; metadata:policy security-ips alert; classtype:trojan-activity; 9839 BACKDOOR sun shadow 1.70 runtime detection - keep alive www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html 21852 attempted-user 2007-0017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|23|EXTM3U"; content:"udp|3A|//"; distance:0; nocase; content:"%"; distance:0; pcre:"/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi"; metadata:policy connectivity-ips drop, policy security-ips drop; classtype:attempted-user; 9844 WEB-CLIENT VLC Media Player udp URI format string attempt - single packet projects.info-pull.com/moab/MOAB-02-01-2007.html misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|23|EXTM3U"; flowbits:set,http.m3u.download; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; 9845 WEB-CLIENT M3U File Download Detected 21852 attempted-user 2007-0017 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.m3u.download; content:"udp|3A|//"; nocase; content:"%"; distance:0; pcre:"/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi"; metadata:policy security-ips drop; classtype:attempted-user; 9846 WEB-CLIENT VLC Media Player udp URI format string attempt - multipacket projects.info-pull.com/moab/MOAB-02-01-2007.html attempted-user 2007-0024 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"recolorinfo"; content:"numfills"; pcre:"/recolorinfo[^>]*numfills\s*=\s*\x22/si"; byte_test:10,>,24403223,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 9848 WEB-CLIENT Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms07-004.mspx attempted-user 2007-0024 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"recolorinfo"; content:"numcolors"; pcre:"/recolorinfo[^>]*numcolors\s*=\s*\x22/si"; byte_test:10,>,24403223,0,relative,string; metadata:policy balanced-ips drop, policy security-ips drop; classtype:attempted-user; 9849 WEB-CLIENT Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms07-004.mspx 500 Malware 17040 attempted-user 2006-1148 tcp $EXTERNAL_NET any -> $HOME_NET 7144 flow:established,to_server; content:"/stream/?"; isdataat:800; pcre:"/GET\s+\x2fstream\x2f\x3f[^\x0a\x0d\x00\x20\x2f\x3d\x3b]{800}/smi"; classtype:attempted-user; 10064 EXPLOIT Peercast URL Parameter overflow attempt attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"POST /g"; depth:7; nocase; content:"back=++Back++|0D 0A 0D 0A|"; distance:0; nocase; classtype:attempted-admin; 10124 SPECIFIC-THREATS PA168 chipset based IP phone authentication bypass www.procheckup.com/Vulner_PR0614.php 16697 attempted-user 2006-0460 udp $EXTERNAL_NET any -> $HOME_NET 11000 flow:to_server; content:"|00 00 00 00|8|03|A"; depth:7; isdataat:764; classtype:attempted-user; 10125 MISC bomberclone buffer overflow attempt successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 20 flow:from_server,established; content:"<title>New Page 1</title>"; nocase; content:"Log Started |3A|"; distance:0; fast_pattern; nocase; classtype:successful-recon-limited; 10167 SPYWARE-PUT Keylogger radar spy 1.0 runtime detection - send html log www.ca.com/us/securityadvisor/pest/pest.aspx?id=453079942 22530 attempted-user 2007-0927 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"d8|3A|announce"; nocase; pcre:"/^(\d{5,}|390[1-9]|39[1-9][0-9]|[4-9][0-9]{3})\x3A/R"; metadata:service http; classtype:attempted-user; 10172 WEB-MISC uTorrent announce buffer overflow attempt attempted-admin 2007-1260 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:established,to_server; content:"Content-Length|3A|"; nocase; http_header; isdataat:100,relative; pcre:"/^Content-Length\x3A\s*[^\r\n]{100}/smiH"; metadata:service http; classtype:attempted-admin; 10195 WEB-MISC Content-Length buffer overflow attempt djeyl.net/w.php 2294 web-application-attack 2001-0251 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"REVLOG / "; depth:9; metadata:service http; classtype:web-application-attack; 1047 WEB-MISC Netscape Enterprise DOS 2285 web-application-attack 2001-0250 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"INDEX "; depth:6; metadata:service http; classtype:web-application-attack; 1048 WEB-MISC Netscape Enterprise directory listing attempt 10691 attempted-admin 2004-0297 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|10480; 10480 EXPLOIT imail ldap buffer overflow exploit attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=74 attempted-user 2004-0541 tcp $EXTERNAL_NET any -> $HOME_NET 3128 gid:3; classtype:attempted-user; metadata: engine shared, soid 3|10481; 10481 EXPLOIT squid NTLM Authorization buffer overflow exploit attempt www.idefense.com/application/poi/display?id=107 misc-activity tcp $HOME_NET 2589 -> $EXTERNAL_NET any flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; classtype:misc-activity; 105 BACKDOOR - Dagger_1.4.0 2732 web-application-attack 2001-0746 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"GETPROPERTIES"; depth:13; metadata:service http; classtype:web-application-attack; 1050 WEB-MISC iPlanet GETPROPERTIES attempt shellcode-detect tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c]u[0-9a-f]{4}(\x22\s*\x2B\s*\x22)?[\x25\x5c]u[0-9a-f]{4}/smi"; classtype:shellcode-detect; 10504 SHELLCODE unescape encoded shellcode shellcode-detect tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"unescape"; fast_pattern:only; pcre:"/(spray|return_address|payloadcode|shellcode|retaddr|retaddress|block|payload|agent|hspt)/smi"; pcre:"/unescape\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)[\x25\x5c][0-9a-f]{2}[\x25\x5c][0-9a-f]{2}/smi"; classtype:shellcode-detect; 10505 SHELLCODE unescape encoded shellcode web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"nc.exe"; nocase; metadata:service http; classtype:web-application-activity; 1062 WEB-MISC nc.exe attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"wsh.exe"; nocase; metadata:service http; classtype:web-application-activity; 1064 WEB-MISC wsh attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"rcmd.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1065 WEB-MISC rcmd attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"telnet.exe"; nocase; metadata:service http; classtype:web-application-activity; 1066 WEB-MISC telnet attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"net.exe"; nocase; metadata:service http; classtype:web-application-activity; 1067 WEB-MISC net attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htpasswd"; nocase; metadata:service http; classtype:web-application-attack; 1071 WEB-MISC .htpasswd access 950 web-application-activity 2000-0097 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/samples/search/webhits.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1073 WEB-MISC webhits.exe access 1656 web-application-activity 2003-0718 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?/iR"; metadata:service http; classtype:web-application-activity; 1079 WEB-MISC WebDAV propfind access 10505 www.microsoft.com/technet/security/bulletin/MS04-030.mspx misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 7597 flow:to_server,established; content:"qazwsx.hsq"; classtype:misc-activity; 108 BACKDOOR QAZ Worm Client Login access 1876 web-application-attack 2000-1025 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/servlet/com.unify.servletexec.UploadServlet"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1080 WEB-MISC unify eWave ServletExec upload 10570 1868 web-application-attack 2000-1025 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/dsgw/bin/search?context="; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1081 WEB-MISC Netscape Servers suite DOS 1194 web-application-attack 2000-0439 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; metadata:service http; classtype:web-application-attack; 1082 WEB-MISC amazon 1-click cookie theft 1868 web-application-activity 2000-1025 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/servlet/ServletExec"; http_uri; metadata:service http; classtype:web-application-activity; 1083 WEB-MISC unify eWave ServletExec DOS 2337 web-application-attack 2000-1049 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"servlet/......."; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1084 WEB-MISC Allaire JRUN DOS attempt 1463 web-application-attack 2000-1078 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"??????????"; http_uri; metadata:service http; classtype:web-application-attack; 1091 WEB-MISC ICQ Webfront HTTP DOS 1722 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webplus.exe?script=test.wml"; http_uri; metadata:service http; classtype:web-application-attack; 1095 WEB-MISC Talentsoft Web+ Source Code view access archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html 1720 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webplus.exe?about"; http_uri; metadata:service http; classtype:web-application-activity; 1096 WEB-MISC Talentsoft Web+ internal IP Address access archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cybercop"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1099 WEB-MISC cybercop scan 5847 web-application-attack 2002-0840 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"ONERROR="; nocase; http_uri; metadata:service http; classtype:web-application-attack; 10990 WEB-MISC encoded cross site scripting HTML Image tag attempt 5362 misc-attack 2002-0656 tcp $EXTERNAL_NET any -> $HOME_NET 443 flow:to_server,established; flowbits:isset,sslv2.server_hello.request; content:"|02|"; depth:1; offset:2; byte_test:2,>,8,10; flowbits:unset,sslv2.server_hello.request; metadata:service http; classtype:misc-attack; 10997 WEB-MISC SSLv2 OpenSSl KEY_ARG buffer overflow attempt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 flow:to_server,established; content:"GetInfo|0D|"; classtype:trojan-activity; 110 BACKDOOR netbus getinfo web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:service http; classtype:web-application-activity; 1100 WEB-MISC L3retriever HTTP Probe web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:service http; classtype:web-application-activity; 1101 WEB-MISC Webtrends HTTP probe web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:service http; classtype:web-application-attack; 1102 WEB-MISC nessus 1.X 404 probe 1579 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin-serv/config/admpw"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1103 WEB-MISC Netscape admin passwd 10468 1455 attempted-recon 2000-0638 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/bb-hostsvc.sh?HOSTSVC"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1105 WEB-MISC BigBrother access 10460 1510 attempted-recon 2000-0671 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/%00"; http_uri; metadata:service http; classtype:attempted-recon; 1109 WEB-MISC ROXEN directory list attempt 10479 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?DeleteDocument"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1116 WEB-MISC Lotus DelDoc attempt 23532 attempted-user 2007-2126 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"dbms_cdc_ipublish.chgtab_cache"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{30,}\x27|\x22[^\x22]{30,}\x22)[\r\n\s]*\x3b.*change_table_name[\r\n\s]*=>[\r\n\s]*\2|change_table_name\s*=>\s*(\x27[^\x27]{30,}|\x22[^\x22]{30,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*){2}(\x27[^\x27]{30,}|\x22[^\x22]{30,}))/si"; classtype:attempted-user; 11175 ORACLE dbms_cdc_ipublish.chgtab_cache buffer overflow attempt attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"ls%20-l"; nocase; metadata:service http; classtype:attempted-recon; 1118 WEB-MISC ls%20-l 713 attempted-recon 1999-0346 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mlog.phtml"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1119 WEB-MISC mlog.phtml access 713 attempted-recon 1999-0346 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mylog.phtml"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1120 WEB-MISC mylog.phtml access attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"sys.dbms_apply_user_agent.set_registration_handler"; nocase; classtype:attempted-user; 11203 ORACLE sys.dbms_apply_user_agent.set_registration_handler access attempt www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf attempted-user tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"sys.dbms_upgrade_internal"; nocase; classtype:attempted-user; 11205 ORACLE sys.dbms_upgrade_internal access attempt www.red-database-security.com/advisory/oracle_sql_injection_dbms_upgrade_internal.html attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/etc/passwd"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1122 WEB-MISC /etc/passwd 15509 web-application-attack 2005-3757 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"proxystylesheet"; http_uri; content:"/search"; http_uri; pcre:"/proxystylesheet=[-a-z0-9_\.]*[^-a-z0-9_\.&\s]/sUmi"; metadata:service http; classtype:web-application-attack; 11223 WEB-MISC google proxystylesheet arbitrary command execution attempt metasploit.com/research/vulns/google_proxystylesheet/ 7621 attempted-recon 1999-0269 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?PageServices"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1123 WEB-MISC ?PageServices access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/config/check.txt"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1124 WEB-MISC Ecommerce check.txt access attempted-recon 1999-0610 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webcart/"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1125 WEB-MISC webcart access 10298 2110 attempted-recon 1999-0407 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"_AuthChangeUrl?"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1126 WEB-MISC AuthChangeUrl access 12742 attempted-admin 2005-0353 udp $EXTERNAL_NET any -> $HOME_NET 5093 flow:to_server; dsize:>836; classtype:attempted-admin; 11265 EXPLOIT Sentinel license manager buffer overflow attempt 7180 attempted-admin 2003-0220 tcp $EXTERNAL_NET any -> $HOME_NET 44334 flow:to_server,established; isdataat:1000; pcre:"/^[^\x00]{1000}/m"; classtype:attempted-admin; 11266 EXPLOIT Kerio Personal Firewall authentication buffer overflow attempt 2025 attempted-recon 1999-0175 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/convert.bas"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1127 WEB-MISC convert.bas access 4002 attempted-recon 1999-0360 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/scripts/cpshost.dll"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1128 WEB-MISC cpshost.dll access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htaccess"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1129 WEB-MISC .htaccess access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".wwwacl"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1130 WEB-MISC .wwwacl access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".www_acl"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1131 WEB-MISC .wwwacl access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; classtype:attempted-recon; 1133 SCAN cybercop os probe attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"cd.."; nocase; metadata:service http; classtype:attempted-recon; 1136 WEB-MISC cd.. attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"HEAD/./"; metadata:service http; classtype:attempted-recon; 1139 WEB-MISC whisker HEAD/./ www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html 776 attempted-recon 1999-1053 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/guestbook.pl"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1140 WEB-MISC guestbook.pl access 10099 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/~root"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1145 WEB-MISC /~root access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/config/import.txt"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1146 WEB-MISC Ecommerce import.txt access 374 attempted-recon 1999-0039 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"cat "; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1147 WEB-MISC cat%20 access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/orders/import.txt"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1148 WEB-MISC Ecommerce import.txt access trojan-activity tcp $HOME_NET 20034 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:trojan-activity; 115 BACKDOOR NetBus Pro 2.0 connection established 2281 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/orders/checks.txt"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1155 WEB-MISC Ecommerce checks.txt access web-application-activity 2000-1196 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/PSUser/PSCOErrPage.htm"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1157 WEB-MISC Netscape PublishingXpert access 10364 1073 attempted-recon 2000-0242 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/windmail.exe"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1158 WEB-MISC windmail.exe access 10365 1725 attempted-recon 2000-1005 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/webplus?script"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1159 WEB-MISC webplus access 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1160 WEB-MISC Netscape dir index wp 10352 1153 attempted-recon 2000-0429 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/c32web.exe/ChangeAdminPassword"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1162 WEB-MISC cart 32 AdminPwd access 2049 attempted-recon 2000-1188 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/quikstore.cfg"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1164 WEB-MISC shopping cart access 1036 attempted-recon 2000-0192 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/rpm_query"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1167 WEB-MISC rpm_query access 10340 2266 attempted-recon 1999-0606 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mall_log_files/order.log"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1168 WEB-MISC mall log order access 11032 attempted-admin 2001-0311 tcp $EXTERNAL_NET any -> $HOME_NET 5555 flow:established,to_server; content:"|00 00 00|.2|00| a|00| 0|00| 0|00| 0|00| A|00| 28|00|"; depth:25; pcre:"/^[^\x00]*\x2e\x2e/R"; classtype:attempted-admin; 11681 EXPLOIT Openview Omni II command bypass attempt 8968 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"|EB|3"; depth:2; isdataat:53; content:"6B@|00|"; depth:4; offset:49; classtype:attempted-admin; 11682 SPECIFIC-THREATS Metasploit niprint_lpd module attack attempt misc-activity 1999-0660 tcp $HOME_NET any -> $EXTERNAL_NET any flow:established,from_server; content:"WHATISIT"; classtype:misc-activity; 117 BACKDOOR Infector.1.x 11157 2248 attempted-recon 1999-0279 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ews/architext_query.pl"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1173 WEB-MISC architext_query.pl access 10064 www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt 649 attempted-recon 1999-0954 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/wwwboard.pl"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1175 WEB-MISC wwwboard.pl access 1063 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-verify-link"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1177 WEB-MISC Netscape Enterprise Server directory view trojan-activity tcp $HOME_NET 666 -> $EXTERNAL_NET any flow:from_server,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; classtype:trojan-activity; 118 BACKDOOR SatansBackdoor.2.0.Beta www3.ca.com/securityadvisor/pest/pest.aspx?id=5260 770 attempted-recon 1999-0885 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/get32.exe"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1180 WEB-MISC get32.exe access 10011 attempted-dos 1999-1070 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ping?query="; http_uri; metadata:service http; classtype:attempted-dos; 1181 WEB-MISC Annex Terminal DOS attempt 10017 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-cs-dump"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1183 WEB-MISC Netscape Enterprise Server directory view 10352 attempted-user 2007-2219 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"res|3A|//"; pcre:"/\x2Edll[\x2F\x5C][^\x3E\x00\s\x2F\x5C]*[\x2F\x5C](\x23|%23)(\d{6}|[7-9]\d{4}|6[6-9]\d{3}|65[6-9]\d{2}|655[4-9]\d|6553[6-9])/smi"; metadata:service http; classtype:attempted-user; 11838 WEB-MISC Win32 API res buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS07-035.mspx 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-ver-info"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1184 WEB-MISC Netscape Enterprise Server directory view 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-ver-diff"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1186 WEB-MISC Netscape Enterprise Server directory view 1089 web-application-attack 2000-0289 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/slxweb.dll/admin?command="; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1187 WEB-MISC SalesLogix Eviewer web command attempt 10361 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-start-ver"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1188 WEB-MISC Netscape Enterprise Server directory view 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-stop-ver"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1189 WEB-MISC Netscape Enterprise Server directory view misc-activity tcp $HOME_NET 6789 -> $EXTERNAL_NET any flow:established,from_server; content:"Wtzup Use"; depth:32; classtype:misc-activity; 119 BACKDOOR Doly 2.0 access 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-uncheckout"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1190 WEB-MISC Netscape Enterprise Server directory view 1063 attempted-recon 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-html-rend"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1191 WEB-MISC Netscape Enterprise Server directory view 1053 web-application-attack 2000-0169 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; metadata:service http; classtype:web-application-attack; 1193 WEB-MISC oracle web arbitrary command execution attempt 10348 attempted-user 2007-2218 tcp $EXTERNAL_NET 443 -> $HOME_NET any flow:established, to_client; ssl_state:server_hello; content:"|16 03 00|"; content:"|0C|"; within:1; distance:2; byte_jump:2,3,relative,big; byte_jump:2,0,relative,big; content:"|00 00|"; within:2; classtype:attempted-user; 11947 WEB-CLIENT Windows schannel security package www.microsoft.com/technet/security/bulletin/MS07-031.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"Cookie|3A|"; nocase; http_header; content:"www.snap.com"; nocase; http_header; content:"toolbar_domain_redirect"; nocase; http_header; pcre:"/^Cookie\x3a[^\r\n]*www\x2Esnap\x2Ecom[^\r\n]*toolbar_domain_redirect/smiH"; classtype:misc-activity; 11948 SPYWARE-PUT Hijacker snap toolbar runtime detection - cookie www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 7896 flow:established; content:"MESSAGE + "; depth:10; nocase; content:" + windows"; distance:0; nocase; classtype:trojan-activity; 11949 BACKDOOR lame rat v1.0 runtime detection www.megasecurity.org/trojans/l/lamerat/Lamerat1.0.html trojan-activity tcp $HOME_NET 1339 -> $EXTERNAL_NET any flow:from_server,established; content:"Server|3A|"; nocase; content:"Root"; distance:0; nocase; content:"kit"; distance:0; nocase; content:"scaner"; distance:0; nocase; pcre:"/^Server\x3a[^\r\n]*Root[^\r\n]*kit[^\r\n]*Scaner/smi"; classtype:trojan-activity; 11950 BACKDOOR killav_gj karus-software.at/portal/modules.php?name=Virenlexikon&suche=t&submit=suche&show=Trojan.Win32.KillAV.GJ trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 610 flow:to_server,established; flowbits:isset,SupervisorPlus_detection; content:"<A "; depth:3; nocase; pcre:"/^\x3c\x41\x20.*\x3b\x5c\x5c.*\x5cSV\x24\x5c\x3e\x3c/smi"; classtype:trojan-activity; 11954 BACKDOOR supervisor plus runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453109596 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"INVITE"; depth:6; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^INVITE\s+(sips?|tel|https?)\x3A[\w-'"]+\x40[\w-'"\x2E]+\s+/smi"; classtype:protocol-command-decode; 11968 VOIP-SIP inbound INVITE message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 401 Unauthorized"; depth:24; nocase; classtype:protocol-command-decode; 11969 VOIP-SIP inbound 401 unauthorized message www.ietf.org/rfc/rfc3261.txt 18906 attempted-dos 2005-4050 udp $EXTERNAL_NET any -> $HOME_NET 5060:5061 content:"CSeq|3A|"; nocase; isdataat:25,relative; content:!"|0A|"; within:25; classtype:attempted-dos; 11971 VOIP-SIP CSeq buffer overflow attempt www.ietf.org/rfc/rfc3261.txt misc-activity udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Max-Forwards|3A|"; fast_pattern:only; pcre:"/^Max-Forwards\x3A\s+(\d{3,}|[89]\d|7[1-9])/smi"; classtype:misc-activity; 11972 VOIP-SIP Max-Forwards value over 70 www.ietf.org/rfc/rfc3261.txt 24542 attempted-user 2007-3369 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Via|3A|"; fast_pattern:only; nocase; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/smi"; classtype:attempted-user; 11973 VOIP-SIP Via header hostname buffer overflow attempt www.ietf.org/rfc/rfc3261.txt misc-activity udp $EXTERNAL_NET any -> $HOME_NET 5060 dsize:<11; classtype:misc-activity; 11974 VOIP-SIP response too small www.ietf.org/rfc/rfc3261.txt misc-activity udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+(?!SIP\x2F2\x2E0)/smi"; classtype:misc-activity; 11975 VOIP-SIP Via header missing SIP field www.ietf.org/rfc/rfc3261.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"<sip"; fast_pattern:only; pcre:"/<sips?[^\x3A]{6}/smi"; classtype:attempted-user; 11976 VOIP-SIP overflow in URI type - SIP www.ietf.org/rfc/rfc3261.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"<tel"; fast_pattern:only; pcre:"/<tel[^\x3A]{6}/smi"; classtype:attempted-user; 11977 VOIP-SIP overflow in URI type - Tel www.ietf.org/rfc/rfc3261.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"From|3A|"; fast_pattern:only; nocase; pcre:"/^From\x3A\s+[^\r\n]{256}/smi"; classtype:attempted-user; 11978 VOIP-SIP from header field buffer overflow attempt www.ietf.org/rfc/rfc3261.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"m="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^m=[A-Z]{1,20}\s(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9])/smi"; classtype:attempted-user; 11979 VOIP-SIP oversized SDP media port www.ietf.org/rfc/rfc4566.txt 1063 web-application-attack 2000-0236 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"?wp-usr-prop"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1198 WEB-MISC Netscape Enterprise Server directory view 16213 attempted-user 2006-0189 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"a="; distance:0; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^a=[^\r\n]{256}/smi"; classtype:attempted-user; 11980 VOIP-SIP SDP attribute buffer overflow attempt www.ietf.org/rfc/rfc4566.txt 15711 attempted-user 2005-4050 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"INVITE"; depth:6; nocase; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; classtype:attempted-user; 11981 VOIP-SIP MultiTech INVITE field buffer overflow attempt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"To|3A|"; nocase; content:"%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33"; fast_pattern:only; pcre:"/^To\x3A\s+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/smi"; classtype:attempted-dos; 11982 VOIP-SIP recursive URL-encoded data in To header www.ietf.org/rfc/rfc3261.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"t="; distance:0; nocase; content:"-"; distance:0; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^t=(-|\d{1,6}\s-)/smi"; classtype:attempted-user; 11983 VOIP-SIP SDP negative time value www.ietf.org/rfc/rfc4566.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"t="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^t=(\d{7,}|\d{1,6}\s\d{7,})/smi"; classtype:attempted-user; 11984 VOIP-SIP SDP oversized time value www.ietf.org/rfc/rfc4566.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Expires|3A|"; fast_pattern:only; pcre:"/^Expires\x3A\s+\d{11}/smi"; classtype:attempted-user; 11985 VOIP-SIP Expires header overflow attempt www.ietf.org/rfc/rfc3261.txt attempted-user udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Authorization|3A|"; nocase; content:"response="; distance:0; nocase; pcre:"/^Authorization\x3A[^\r\n]+?response=[\x00-\x09\x0B\x0C\x0E-\x7F]*[\x80-\xFF]/smi"; classtype:attempted-user; 11986 VOIP-SIP invalid characters in authorization response parameter www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Via|3A|"; nocase; content:"%"; distance:0; pcre:"/^Via\x3A\s*SIP\x2F2\x2E0\x2F(TC|UD)P\s+[^\r\n%]*%/smi"; classtype:attempted-dos; 11987 VOIP-SIP Via header format string attempt www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"From|3A|"; nocase; content:"%"; distance:0; pcre:"/^From\x3A\s*[^\r\n%]*%/smi"; classtype:attempted-dos; 11988 VOIP-SIP From header format string attempt www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Call-ID|3A|"; nocase; content:"%"; distance:0; pcre:"/^Call-ID\x3A\s*[^\r\n%]*%/smi"; classtype:attempted-dos; 11989 VOIP-SIP Call-ID header format string attempt www.ietf.org/rfc/rfc3261.txt 282 web-application-attack 1999-0771 tcp $EXTERNAL_NET any -> $HOME_NET 2301 flow:to_server,established; content:"../"; metadata:service http; classtype:web-application-attack; 1199 WEB-MISC Compaq Insight directory traversal attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Contact|3A|"; nocase; content:"%"; distance:0; pcre:"/^Contact\x3A\s*[^\r\n%]*%/smi"; classtype:attempted-dos; 11990 VOIP-SIP Contact header format string attempt www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"CSeq|3A|"; nocase; content:"%"; distance:0; pcre:"/^CSeq\x3A\s*[^\r\n%]*%/smi"; classtype:attempted-dos; 11991 VOIP-SIP CSeq header format string attempt www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"%"; distance:0; pcre:"/^Content-Type\x3A\s*[^\r\n%]*%/smi"; classtype:attempted-dos; 11992 VOIP-SIP Content-Type header format string attempt www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Call-ID|3A|"; fast_pattern:only; pcre:"/^Call-ID\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11993 VOIP-SIP Call-ID header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Contact|3A|"; fast_pattern:only; pcre:"/^Contact\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11994 VOIP-SIP Contact header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; fast_pattern:only; pcre:"/^Content-Type[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11995 VOIP-SIP Content-Type header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11996 VOIP-SIP CSeq header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11997 VOIP-SIP From header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11998 VOIP-SIP To header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A[^\r\n]+[\x01-\x08\x0B\x0C\x0E-\x1F\x80-\xFF]/smi"; classtype:attempted-dos; 11999 VOIP-SIP Via header invalid characters detected www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"INVITE"; nocase; content:"sip"; distance:0; nocase; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; classtype:attempted-dos; 12000 VOIP-SIP INVITE invalid IP address www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"v="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^v=(-|(\d{6,}|[7-9]\d{5,}|6[6-9]\d{3,}|65[6-9]\d{2,}|655[4-9]\d+|6553[6-9]))/smi"; classtype:attempted-dos; 12001 VOIP-SIP SDP version overflow attempt www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"BYE"; depth:3; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^BYE\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; classtype:attempted-dos; 12002 VOIP-SIP BYE flood www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"CANCEL"; depth:6; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^CANCEL\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; classtype:attempted-dos; 12003 VOIP-SIP CANCEL flood www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"INVITE"; depth:6; nocase; content:"sip|3A|"; distance:0; nocase; content:"SIP/2.0"; distance:0; nocase; content:"Content-Length|3A|"; distance:0; nocase; content:"0"; distance:0; pcre:"/^INVITE\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0/smi"; pcre:"/^Content-Length\x3A\s+0[\r\n]/smi"; classtype:attempted-dos; 12004 VOIP-SIP INVITE message invalid Content-Length size of zero www.ietf.org/rfc/rfc3261.txt attempted-dos udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"c="; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^c=([^I]|I[^N]|IN[^\s]|IN\s+[^I]|IN\s+I[^P]|IN\s+IP[^46])/smi"; classtype:attempted-dos; 12005 VOIP-SIP invalid SDP connection value www.ietf.org/rfc/rfc4566.txt protocol-command-decode udp $HOME_NET 5060 -> $EXTERNAL_NET any content:"INVITE"; depth:6; nocase; content:"SIP/2.0"; distance:0; nocase; pcre:"/^INVITE\s+(sips?|tel|https?)\x3A[\w-'"]+\x40[\w-'"\x2E]+\s+/smi"; classtype:protocol-command-decode; 12006 VOIP-SIP outbound INVITE message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $HOME_NET 5060 -> $EXTERNAL_NET any content:"SIP/2.0 401 Unauthorized"; depth:24; nocase; classtype:protocol-command-decode; 12007 VOIP-SIP outbound 401 Unauthorized message www.ietf.org/rfc/rfc3261.txt 162 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.vts"; http_uri; metadata:service http; classtype:attempted-recon; 1202 WEB-MISC search.vts access 5902 attempted-dos 2002-0386 tcp $EXTERNAL_NET any -> $HOME_NET 4000 flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; pcre:"/Transfer-Encoding\x3a\s*chunked.*\n\r?\n/smi"; pcre:!"/\n\r?\n[0-9a-f]/smi"; classtype:attempted-dos; 12044 ORACLE Oracle Web Cache denial of service attempt www.cgisecurity.com/archive/database/oracle-9iAS-web-cache-dos.txt 5902 attempted-dos 2002-0386 tcp $EXTERNAL_NET any -> $HOME_NET 4000 flow:to_server,established; content:"GET"; nocase; content:".."; pcre:"/GET[^\n]*\.\.[\/\\]/smi"; classtype:attempted-dos; 12045 ORACLE Oracle Web Cache denial of service attempt www.cgisecurity.com/archive/database/oracle-9iAS-web-cache-dos.txt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ad.asmx"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"yayad.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*yayad\x2Ecom/smiH"; classtype:misc-activity; 12047 SPYWARE-PUT Adware yayad runtime detection www.360safe.com/elist.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"ComputerKeylogger.com"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*ComputerKeylogger\x2Ecom/smi"; classtype:successful-recon-limited; 12048 SPYWARE-PUT Keylogger computer Keylogger runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453098303 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"A-Spy"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*A-Spy[^\r\n]*Server/smi"; classtype:successful-recon-limited; 12049 SPYWARE-PUT Keylogger apophis spy 1.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453072636 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/ezg_serverside.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ez-greets.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eez-greets\x2Ecom/smiH"; classtype:misc-activity; 12050 SPYWARE-PUT Hijacker ez-greets toolbar runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Greets%20Toolbar&threatid=47475 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|01 00 00 02|WordUP"; depth:10; nocase; classtype:trojan-activity; 12051 BACKDOOR ultimate rat 2.1 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453060550 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"000The[X]Server"; depth:15; nocase; classtype:trojan-activity; 12052 BACKDOOR the[x] 1.2 runtime detection - execute command www3.ca.com/securityadvisor/pest/pest.aspx?id=453074872 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; content:"_Get_Sys_Info_"; depth:14; nocase; classtype:trojan-activity; 12053 BACKDOOR trail of destruction 2.0 runtime detection - get system info www3.ca.com/securityadvisor/pest/pest.aspx?id=453076564 trojan-activity tcp $HOME_NET 58008 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Tron_Initconnection; content:"<THETIMEIS>"; depth:11; nocase; classtype:trojan-activity; 12055 BACKDOOR tron runtime detection - init connection www.megasecurity.org/trojans/t/tron/Tron.html 24359 attempted-dos 2007-2297 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0"; nocase; content:"0"; distance:0; nocase; pcre:"/^SIP\/2\.0\s+0\s*$/smi"; classtype:attempted-dos; 12061 SIP request line equal To zero www.ietf.org/rfc/rfc3261.txt web-application-activity 2000-0832 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htgrep"; http_uri; metadata:service http; classtype:web-application-activity; 1207 WEB-MISC htgrep access 10495 23093 attempted-admin 2007-1594 udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 "; depth:8; nocase; pcre:"/^SIP\/2\.0\s+(?!\d{3})/smi"; classtype:attempted-admin; 12072 VOIP-SIP response code not three digits protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 100 Trying"; depth:18; nocase; classtype:protocol-command-decode; 12073 VOIP-SIP inbound 100 Trying message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 100 Trying"; depth:18; nocase; classtype:protocol-command-decode; 12074 VOIP-SIP outbound 100 Trying message www.ietf.org/rfc/rfc3261.txt 22342 attempted-admin 2007-0449 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:to_server,established; byte_test:10,>,284,0,big,dec,string; pcre:!"/(\x7e\x7e){284}/"; isdataat:294; classtype:attempted-admin; 12079 EXPLOIT CA BrightStor LGServer Stack buffer overflow 12967 attempted-admin 2005-1009 tcp $EXTERNAL_NET any -> $HOME_NET 20031 flow:to_server,established; byte_test:4,>,1000,0,little; isdataat:1000; classtype:attempted-admin; 12081 EXPLOIT BakBone NetVault heap overflow attempt 4391 attempted-dos 2002-0509 tcp $EXTERNAL_NET any -> $HOME_NET 1521 flow:to_server,established; content:"|00|"; depth:1; dsize:1; classtype:attempted-dos; 12082 ORACLE Oracle 9i TNS denial of service attempt misc-activity 1999-0660 tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 flow:to_server,established; content:"FC "; classtype:misc-activity; 121 BACKDOOR Infector 1.6 Client to Server Connection Request 11157 network-scan udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"From|3A|"; nocase; content:"sivus_voip_scanner"; distance:0; nocase; pcre:"/^From\x3A\s*sivus_voip_scanner/smi"; classtype:network-scan; 12112 VOIP-SIP Sivus scanner detected www.vopsecurity.org/ misc-activity udp $EXTERNAL_NET any -> $HOME_NET 5060 content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; classtype:misc-activity; 12113 VOIP-SIP SIP URI overflow attempt www.ietf.org/rfc/rfc3261.txt attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/admin_files"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1212 WEB-MISC Admin_files access misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/NewVerInfo.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"down.pprich.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*down\x2Epprich\x2Ecom/smiH"; classtype:misc-activity; 12120 SPYWARE-PUT Adware pprich runtime detection - version check www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047 misc-activity udp $HOME_NET 6600 -> $EXTERNAL_NET 30000 flow:to_server; content:"adf`%|24|%^pk*|94|"; depth:12; offset:8; classtype:misc-activity; 12121 SPYWARE-PUT Adware pprich runtime detection - udp info sent out www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Spynova"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Spynova[^\r\n]*Toolbar/smiH"; classtype:successful-recon-limited; 12122 SPYWARE-PUT Trackware spynova runtime detection www.symantec.com/en/aa/enterprise/security_response/writeup.jsp?docid=2007-041614-3222-99 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.lookquick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elookquick\x2Ecom/smiH"; classtype:misc-activity; 12123 SPYWARE-PUT Hijacker lookquick runtime detection - hijack ie www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r.look?plq="; fast_pattern; nocase; http_uri; classtype:misc-activity; 12124 SPYWARE-PUT Hijacker lookquick runtime detection - monitor and collect user info www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/web/search.php"; nocase; content:"keywords="; distance:0; nocase; content:"username="; distance:0; nocase; content:"Host|3A|"; nocase; http_header; content:"www.lookster.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elookster\x2Enet/smiH"; classtype:successful-recon-limited; 12125 SPYWARE-PUT Trackware lookster toolbar runtime detection - hijack ie search assistant www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/googlerank/get_googlerank.php"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"act="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; classtype:successful-recon-limited; 12126 SPYWARE-PUT Trackware lookster toolbar runtime detection - collect user information www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"client="; nocase; http_uri; content:"dt="; nocase; http_uri; content:"lmt="; nocase; http_uri; content:"format="; nocase; http_uri; content:"output="; nocase; http_uri; content:"correlator="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"www.lookster.net"; fast_pattern; nocase; http_uri; classtype:successful-recon-limited; 12127 SPYWARE-PUT Trackware lookster toolbar runtime detection - ads www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797 successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:to_client,established; content:"WNDkServer"; depth:10; classtype:successful-recon-limited; 12128 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - init connection www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Info_detection; content:"Product Name"; depth:12; classtype:successful-recon-limited; 12130 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - get sys info www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Keylogging_detection; content:"KEY"; depth:3; classtype:successful-recon-limited; 12132 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - keylogging www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Url_detection; content:"WND"; depth:3; classtype:successful-recon-limited; 12134 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - open url www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html successful-recon-limited tcp $HOME_NET 456 -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Fun_detection; content:"WND"; depth:3; classtype:successful-recon-limited; 12136 SPYWARE-PUT Keylogger remotekeylog.b runtime detection - fun www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"<TIT=|0D 0A|LE>|0D 0A|King log|0D 0A|</TITLE>|0D 0A|"; fast_pattern:only; classtype:successful-recon-limited; 12137 SPYWARE-PUT Keylogger Keylogger king home 2.3 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097591 misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"Set-Cookie|3A|"; nocase; http_header; content:"LastURL=http|3A|//www.680180.net|3A|80/ads/"; nocase; http_header; pcre:"/^Set-Cookie\x3a[^\r\n]*LastURL\x3dhttp\x3a\x2f\x2fwww\x2e680180\x2enet\x3a80\x2fads\x2f/smiH"; classtype:misc-activity; 12138 SPYWARE-PUT Adware zamingo runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453088136 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| Email Reports from Stealth Website Logger"; fast_pattern:only; classtype:successful-recon-limited; 12139 SPYWARE-PUT Trackware stealth website logger 3.4 runtime detection www.programurl.com/stealth-website-logger.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cn.dll?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; classtype:misc-activity; 12140 SPYWARE-PUT Hijacker cnnic update runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453097703 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| Logger Results"; nocase; content:"|0D 0A 0D 0A|<|7C|"; distance:0; content:"|7C|>|0D 0A 0D 0A|"; distance:0; classtype:successful-recon-limited; 12141 SPYWARE-PUT Keylogger logit v1.0 runtime detection www.trojanfrance.com/index.php?dir=KeyLoggers/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,AccessRemotePC_detection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; classtype:trojan-activity; 12143 BACKDOOR access remote pc runtime detection - init connection research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,BlueEye1.0b_detection; dsize:3; content:"SUC"; classtype:trojan-activity; 12147 BACKDOOR blue eye 1.0b runtime detection - init connection www.spywareguide.com/spydet_816_blue_eye_1_0b.html trojan-activity tcp $HOME_NET 54320 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,BackOrifice2006_1.1.5_detection; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7|04|"; within:5; distance:1; classtype:trojan-activity; 12149 BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection www.spywareguide.com/product_show.php?id=1945 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,CAFEiNi_detection; content:"INIPACK"; depth:7; nocase; classtype:trojan-activity; 12151 BACKDOOR cafeini 1.0 runtime detection www.spywareguide.com/spydet_904_cafeini.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"v1.32"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!|0D 0A|"; distance:0; nocase; classtype:trojan-activity; 12152 BACKDOOR optix pro v1.32 runtime detection - init connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768 trojan-activity tcp $HOME_NET 500 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,OptixPROv1.32Download_detection2; content:"+OK RCVD|0D 0A|"; depth:10; classtype:trojan-activity; 12155 BACKDOOR optix pro v1.32 runtime detection - download file www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768 trojan-activity tcp $HOME_NET 501 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,OptixPROv1.32Upload_detection2; content:"FileSizeIs|AC|"; depth:11; classtype:trojan-activity; 12158 BACKDOOR optix pro v1.32 runtime detection - upload file www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768 trojan-activity tcp $HOME_NET 502 -> $EXTERNAL_NET any flow:from_server,established; content:"inc|AC|"; depth:4; classtype:trojan-activity; 12159 BACKDOOR optix pro v1.32 runtime detection - keylogging www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768 attempted-recon 1999-1155 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/filemail"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1216 WEB-MISC filemail access www.securityfocus.com/archive/1/11175 trojan-activity tcp $HOME_NET 503 -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,OptixPROv1.32Screencapture_detection2; content:"SizeIs|AC|"; depth:11; classtype:trojan-activity; 12162 BACKDOOR optix pro v1.32 runtime detection - screen capturing www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET 1357 flow:to_server,established; flowbits:isset,CobraUploader1.0_detection; content:"filebhejdai|7C|"; depth:12; classtype:trojan-activity; 12164 BACKDOOR cobra uploader 1.0 runtime detection www.megasecurity.org/trojans/b/blackcobra/Blackcobra_uploader1.0.html misc-activity udp $EXTERNAL_NET any -> $HOME_NET 5060 content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]+\x40{2}/smi"; classtype:misc-activity; 12167 VOIP-SIP multiple at signs in SIP URI www.ietf.org/rfc/rfc3261.txt 2653 attempted-recon 2000-0074 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/plusmail"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1217 WEB-MISC plusmail access 10181 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 408 Request Timeout"; depth:27; nocase; classtype:protocol-command-decode; 12170 VOIP-SIP inbound 408 Request Timeout message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 408 Request Timeout"; depth:27; nocase; classtype:protocol-command-decode; 12171 VOIP-SIP outbound 408 Request Timeout message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 501 Not Implemented"; depth:27; nocase; classtype:protocol-command-decode; 12172 VOIP-SIP inbound 501 Not Implemented message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 501 Not Implemented"; depth:27; nocase; classtype:protocol-command-decode; 12173 VOIP-SIP outbound 501 Not Implemented message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 604 Does Not Exist Anywhere"; depth:35; nocase; classtype:protocol-command-decode; 12174 VOIP-SIP inbound 604 Does Not Exist Anywhere message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 604 Does Not Exist Anywhere"; depth:35; nocase; classtype:protocol-command-decode; 12175 VOIP-SIP outbound 604 Does Not Exist Anywhere message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 415 Unsupported Media Type"; depth:34; nocase; classtype:protocol-command-decode; 12176 VOIP-SIP inbound 415 Unsupported Media Type message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 415 Unsupported Media Type"; depth:34; nocase; classtype:protocol-command-decode; 12177 VOIP-SIP outbound 415 Unsupported Media Type message www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; depth:47; nocase; classtype:protocol-command-decode; 12178 VOIP-SIP inbound 481 Call/Leg Transaction Does Not Exist www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; depth:47; nocase; classtype:protocol-command-decode; 12179 VOIP-SIP outbound 481 Call/Leg Transaction Does Not Exist www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"SIP/2.0 404 Not Found"; depth:21; nocase; classtype:protocol-command-decode; 12180 VOIP-SIP inbound 404 Not Found www.ietf.org/rfc/rfc3261.txt protocol-command-decode udp $EXTERNAL_NET 5060 -> $HOME_NET any content:"SIP/2.0 404 Not Found"; depth:21; nocase; classtype:protocol-command-decode; 12181 VOIP-SIP outbound 404 Not Found www.ietf.org/rfc/rfc3261.txt 25051 attempted-admin 2007-0060 tcp $EXTERNAL_NET any -> $HOME_NET 3104 flow:established,to_server; pcre:"/^[^\d]|\d[^\d]/sm"; classtype:attempted-admin; 12197 EXPLOIT CA message queuing server buffer overflow attempt supportconnectw.ca.com/public/dto_transport/infodocs/camsgguevul-secnot.asp attempted-admin 2006-5583 udp $EXTERNAL_NET any -> $HOME_NET 161 flow:to_server; content:"0"; depth:1; byte_test:1,!&,128,0,relative; content:"|02 01 01 04|"; within:4; distance:1; byte_test:1,!&,128,0,relative; byte_jump:1,0, relative; content:"|A5|"; within:1; metadata:service snmp; classtype:attempted-admin; 12198 SNMP MS Windows getbulk request 16100 attempted-dos 2005-2342 tcp $EXTERNAL_NET any -> $HOME_NET 3101 flow:to_server,established; content:"S|FF FF FF|"; classtype:attempted-dos; 12199 DOS RIM BlackBerry SRP negative string size 1175 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ultraboard"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1220 WEB-MISC ultraboard access 11748 attempted-admin 2007-3334 tcp $EXTERNAL_NET any -> $HOME_NET 21064 flow:to_server,established; isdataat:1169; byte_test:2,>,1168,0,little; classtype:attempted-admin; 12202 SPECIFIC-THREATS Ingres long message heap buffer overflow attempt 25048 attempted-admin 2007-3566 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:established,to_server; content:"|00 00 00 14|"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; classtype:attempted-admin; 12216 EXPLOIT Borland interbase Create Request opcode string length buffer overflow attempt 25048 attempted-admin 2007-3566 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:established,to_server; content:"|00 00 00 13|"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; classtype:attempted-admin; 12217 EXPLOIT Borland interbase string length buffer overflow attempt 25048 attempted-admin 2007-3566 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:established,to_server; content:"|00 00 00|R"; depth:4; isdataat:1032; content:!"|00|"; within:1024; distance:8; classtype:attempted-admin; 12218 EXPLOIT Borland interbase string length buffer overflow attempt 19264 attempted-admin 2006-3854 tcp $EXTERNAL_NET any -> $HOME_NET [1526,1625] flow:to_server,established; content:"sqlexec "; depth:20; content:!" "; within:127; classtype:attempted-admin; 12220 EXPLOIT IBM Informix Dynamic Server long username 12432 attempted-user 2005-0211 udp $EXTERNAL_NET any -> $HOME_NET 2048 flow:to_server; dsize:>1428; classtype:attempted-user; 12222 EXPLOIT Squid proxy long WCCP packet misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mbop/index.php3?"; nocase; content:"UID="; distance:0; nocase; content:"DIST="; distance:0; nocase; content:"VER="; distance:0; nocase; content:"Host|3A| www.digink.com"; fast_pattern:only; classtype:misc-activity; 12224 SPYWARE-PUT Adware enbrowser snackman runtime detection www.spywareguide.com/spydet_2334_enbrowser.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/smartoffers/SmartOffers.aspx"; fast_pattern; nocase; http_uri; content:"HBHintSVC="; nocase; http_uri; content:"SG="; nocase; http_uri; content:"COUNTRY="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"partner=zango"; nocase; http_uri; classtype:misc-activity; 12225 SPYWARE-PUT Adware zango2007 toolbar runtime detection www.spywareguide.com/spydet_2298_zango_toolbar.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| OverSpy Surveillance Data"; fast_pattern:only; classtype:successful-recon-limited; 12226 SPYWARE-PUT Keylogger overspy runtime detection www.symantec.com/security_response/writeup.jsp?docid=2006-021412-4303-99 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"source=ultrasearch136"; fast_pattern; nocase; http_uri; content:"campaign=snap"; nocase; http_uri; classtype:successful-recon-limited; 12227 SPYWARE-PUT Trackware snap ultrasearch/desktop toolbar runtime detection - search www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"Cookie|3A|"; nocase; http_header; content:"source%3Dultrasearch136%26campaign%3Dsnap"; nocase; http_header; pcre:"/^Cookie\x3a[^\r\n]*source%3Dultrasearch136%26campaign%3Dsnap/smiH"; classtype:successful-recon-limited; 12228 SPYWARE-PUT Trackware snap ultrasearch/desktop toolbar runtime detection - cookie www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/v30/pop.fcgi"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"Host|3A| gpstool.globaladserver.com"; fast_pattern:only; classtype:misc-activity; 12229 SPYWARE-PUT Adware vroomsearch runtime detection www.spywareguide.com/spydet_1274_vroomsearch.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/wwp/msg/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"Send=yes"; nocase; http_uri; pcre:"/Uin=\d+\x26Name=.*?IP-.*?USER-.*?TROJAN-.*?PORT-.*?PASSWORD-.*?OS-.*?WEBCAM-/smi"; classtype:misc-activity; 12230 SPYWARE-PUT Hacker-Tool hippynotify 2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453078296 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/v30/pop.fcgi"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"gpstool.globaladserver.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*gpstool\x2eglobaladserver\x2ecom/smiH"; classtype:misc-activity; 12231 SPYWARE-PUT Adware vroomsearch runtime detection www.spywareguide.com/spydet_1274_vroomsearch.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pages/scanner/order.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"nid="; nocase; http_uri; content:"err="; nocase; http_uri; classtype:misc-activity; 12232 SPYWARE-PUT Adware errorsafe runtime detection www.symantec.com/security_response/writeup.jsp?docid=2006-012017-0346-99 trojan-activity tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any flow:from_server,established; content:"Web Center|3A|"; nocase; http_header; content:"Nom de l ordinateur|3A|"; nocase; http_header; classtype:trojan-activity; 12239 BACKDOOR webcenter v1.0 Backdoor - init connection www.megasecurity.org/trojans/w/webcenter/Webcenter1.0.html 2371 attempted-recon 2001-0215 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ROADS/cgi-bin/search.pl"; http_uri; content:"form="; nocase; metadata:service http; classtype:attempted-recon; 1224 WEB-MISC ROADS search.pl attempt 10627 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,Genie1.7_detection; content:"|1B|[2J|0D 0A| "; depth:7; content:"Genie"; distance:0; nocase; content:"v1.7"; distance:0; nocase; classtype:trojan-activity; 12241 BACKDOOR genie 1.7 runtime detection - init connection www.megasecurity.org/trojans/g/genie/Genie1.7.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_client,established; flowbits:isset,HotmailHackerLogEdition5.0_detection; content:"|C0|STATUS|C0|Server"; depth:14; nocase; content:"Keylogging"; distance:0; nocase; content:"Started!"; distance:0; nocase; pcre:"/^\xc0STATUS\xc0Server\s\x3A\sKeylogging\sStarted\!$/smi"; classtype:trojan-activity; 12243 BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection www.spywareguide.com/spydet_935_hotmail_hacker_x_edition.html trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|0D 0A|<title>ItAdEm Trojan Server</title>|0D 0A|"; nocase; classtype:trojan-activity; 12244 BACKDOOR itadem trojan 3.0 runtime detection www.megasecurity.org/trojans/i/itadem/Itadem3.0.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; content:"|03 00 1C 00 00 00 00 00 01|Furax"; depth:14; nocase; content:"1.0b3"; distance:0; nocase; content:"Server|00|"; distance:0; nocase; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+1\x2E0b3\s+Server\x00/smi"; classtype:trojan-activity; 12245 BACKDOOR furax 1.0 b3 runtime detection www.megasecurity.org/trojans/f/furax/Furax1.0b3.html 25310 attempted-user 2007-1749 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"imagedata"; nocase; pcre:"/<(?P<t>[A-Z]+\x3A)\s*[^>]+>.*<[A-Z]+\x3A\s*imagedata\s+[^>]*src\s*=\s*(?P<q>\x22|\x27|)[\w\x25\x2D\x2E]+(?P=q)[^>]*>.*?<\x2F/smi"; classtype:attempted-user; 12280 WEB-CLIENT VML source file memory corruption www.microsoft.com/technet/security/Bulletin/MS07-050.mspx 25310 attempted-user 2007-1749 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"stroke"; nocase; pcre:"/<(?P<t>[A-Z]+\x3A)\s*[^>]+>.*<[A-Z]+\x3A\s*stroke\s+[^>]*src\s*=\s*(?P<q>\x22|\x27|)[\w\x25\x2D\x2E]+(?P=q)[^>]*>.*?<\x2F/smi"; classtype:attempted-user; 12281 WEB-CLIENT VML source file memory corruption www.microsoft.com/technet/security/Bulletin/MS07-050.mspx 25310 attempted-user 2007-1749 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"vmlframe"; nocase; pcre:"/<(?P<t>[A-Z]+\x3A)\s*[^>]+>.*<[A-Z]+\x3A\s*vmlframe\s+[^>]*src\s*=\s*(?P<q>\x22|\x27|)[\w\x25\x2D\x2E]+(?P=q)[^>]*>.*?<\x2F/smi"; classtype:attempted-user; 12282 WEB-CLIENT VML source file memory corruption www.microsoft.com/technet/security/Bulletin/MS07-050.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ebrss.aspx?"; nocase; http_uri; content:"eb_ct_id="; nocase; http_uri; content:"eb_rss_index="; fast_pattern; nocase; http_uri; content:"eb_preview="; nocase; http_uri; content:"eb_color="; nocase; http_uri; content:"eb_forecolor="; nocase; http_uri; content:"eb_speed="; nocase; http_uri; content:"eb_random="; nocase; http_uri; classtype:misc-activity; 12287 SPYWARE-PUT Hijacker scn toolbar runtime detection - ebrss request www.spywareguide.com/spydet_1830_scn_toolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ResultsExt.aspx?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"ctid="; nocase; http_uri; content:"SearchSource="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.conduit.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*search\x2econduit\x2ecom/smiH"; classtype:misc-activity; 12288 SPYWARE-PUT Hijacker scn toolbar runtime detection - hijack ie searches www.spywareguide.com/spydet_1830_scn_toolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update/update.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"scn.mystoretoolbar.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*scn\x2emystoretoolbar\x2ecom/smiH"; classtype:misc-activity; 12289 SPYWARE-PUT Hijacker scn toolbar runtime detection - get updates www.spywareguide.com/spydet_1830_scn_toolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/apps/eps/eps.cgi?"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"dp_lp="; nocase; http_uri; content:"dp_p4pid="; nocase; http_uri; content:"dp_format="; nocase; http_uri; content:"s="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"prt="; nocase; http_uri; classtype:misc-activity; 12290 SPYWARE-PUT Hijacker newdotnet quick! search runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"ver=visicom-vmntoolbar"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; classtype:successful-recon-limited; 12291 SPYWARE-PUT Trackware vmn toolbar runtime detection www.download.com/3000-12777_4-10693292.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/jsp/AJmain.jsp?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"ptnrs="; nocase; http_uri; content:"PG="; nocase; http_uri; content:"SEC="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/st=(kwd|dns)/Ui"; classtype:misc-activity; 12292 SPYWARE-PUT Hijacker morpheus toolbar runtime detection - hijack/search www.sophos.com/security/analyses/morpheustoolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/counter.php?"; nocase; http_uri; content:"tbid="; nocase; http_uri; content:"do="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; classtype:misc-activity; 12294 SPYWARE-PUT Hijacker 3search runtime detection - counter www.softwarerevenue.org misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?q="; nocase; http_uri; content:"Host|3A| downloadfile.org"; fast_pattern:only; classtype:misc-activity; 12295 SPYWARE-PUT Hijacker 3search runtime detection - hijacking www.softwarerevenue.org misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/cab/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; classtype:misc-activity; 12296 SPYWARE-PUT Hijacker 3search runtime detection - update www.softwarerevenue.org trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,Bifrost_v1.2.1_detection; content:"|00 00 00 9B|O|B0|h|FE|j|9A 1C|"; depth:11; offset:1; classtype:trojan-activity; 12298 BACKDOOR bifrost v1.2.1 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453114444 2808 attempted-recon 2001-0432 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/catinfo"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1231 WEB-MISC VirusWall catinfo access 10650 2808 attempted-recon 2001-0432 tcp $EXTERNAL_NET any -> $HOME_NET 1812 flow:to_server,established; content:"/catinfo"; nocase; metadata:service http; classtype:attempted-recon; 1232 WEB-MISC VirusWall catinfo access 10650 25440 attempted-admin 2007-4561 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"require|3A|"; nocase; content:"|0A|require|3A|"; distance:0; nocase; classtype:attempted-admin; 12358 EXPLOIT Helix DNA Server RTSP require tag heap overflow 20617 attempted-user 2006-5444 tcp $EXTERNAL_NET any -> $HOME_NET 2000 flow:established,to_server; dsize:>992; byte_test:4,>,992,0,little; classtype:attempted-user; 12359 VOIP-SIP Asterisk data length field overflow misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"grabv2.php"; fast_pattern; nocase; http_uri; classtype:misc-activity; 12361 SPYWARE-PUT Infostealer.Monstres runtime detection www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-081617-4608-99 10500 attempted-user 2004-0541 tcp $EXTERNAL_NET any -> $HOME_NET 3128 flow:established,to_server; content:"Proxy-Authorization|3A| NTLM TlRMTVNTUAADA"; http_header; content:!"AAAGAAYA"; http_header; classtype:attempted-user; 12362 EXPLOIT Squid HTTP Proxy-Authorization overflow misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.malware-stopper.com"; fast_pattern:only; classtype:misc-activity; 12363 SPYWARE-PUT Other-Technologies malware-stopper runtime detection www.spywareguide.com/spydet_3513_malware_stopper.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbaradmin/simt32.shq"; fast_pattern; nocase; http_uri; classtype:misc-activity; 12364 SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - get cfg information www.spywareguide.com/spydet_1826_proventactics.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search/index.php?"; nocase; http_uri; content:"query_string="; nocase; http_uri; content:"Host|3A| www.proventactics.com"; fast_pattern:only; classtype:misc-activity; 12365 SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - redirect searches www.spywareguide.com/spydet_1826_proventactics.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"s="; nocase; http_uri; content:"Host|3A| www.proventactics.com"; fast_pattern:only; classtype:misc-activity; 12366 SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - toolbar search function www.spywareguide.com/spydet_1826_proventactics.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/webResults.html?"; nocase; http_uri; content:"src="; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| search.imesh.com"; fast_pattern:only; classtype:misc-activity; 12367 SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie searches www.spywaredata.com/spyware/malware/mediabar.dll.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sidebar.html?"; fast_pattern; nocase; http_uri; content:"src=ssb"; nocase; http_uri; classtype:misc-activity; 12368 SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie side search www.spywaredata.com/spyware/malware/mediabar.dll.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmcs="; nocase; http_uri; content:"utmsr="; nocase; http_uri; content:"utmhn=search.imesh.com"; fast_pattern; nocase; http_uri; content:"utmp="; nocase; http_uri; classtype:misc-activity; 12369 SPYWARE-PUT Hijacker imesh mediabar runtime detection - collect user information www.spywaredata.com/spyware/malware/mediabar.dll.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/autoupdate/version.txt"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; classtype:misc-activity; 12370 SPYWARE-PUT Hijacker imesh mediabar runtime detection - auto update www.spywaredata.com/spyware/malware/mediabar.dll.php misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| SpamBlockerUtility 4.8.4"; fast_pattern:only; classtype:misc-activity; 12371 SPYWARE-PUT Hijacker sbu hotbar 4.8.4 runtime detection - user-agent string www.spywareguide.com/product_show.php?id=481 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Mailer"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Mailer/smi"; content:"+++ MG-Shadow 2.0"; fast_pattern:only; classtype:successful-recon-limited; 12372 SPYWARE-PUT Keylogger mg-shadow 2.0 runtime detection www.softpedia.com/progDownload/MGShadow-Download-44651.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Radmin3.0_conn_detection; content:"|01 00 00 00|%|00 00 02 12 08 02 00 00 0A 00 00|"; depth:16; classtype:trojan-activity; 12374 BACKDOOR radmin 3.0 runtime detection - initial connection www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Radmin3.0_login_detection; content:"|01 00 00 00 05 00 00 00|''|00 00 00 00|"; depth:14; classtype:trojan-activity; 12376 BACKDOOR radmin 3.0 runtime detection - login & remote control www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,sharK_2.3.2_detection; content:"F|15 1D|K|80|?|03 00 01 09|5"; depth:11; classtype:trojan-activity; 12378 BACKDOOR shark 2.3.2 runtime detection www.spywaredb.com/remove-shark-trojan/ 1252 attempted-admin 2000-0446 tcp $EXTERNAL_NET any -> $HOME_NET 2224 flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; fast_pattern:only; classtype:attempted-admin; 1240 EXPLOIT MDBMS overflow 10422 2868 attempted-user 2001-0555 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/SWEditServlet"; http_uri; content:"template=../../../"; metadata:service http; classtype:attempted-user; 1241 WEB-MISC SWEditServlet directory traversal attempt 6454 attempted-user 2002-1643 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"SETUP"; depth:5; nocase; content:"Transport|3A|"; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service rtsp; classtype:attempted-user; 12421 EXPLOIT RealNetworks Helix RTSP long transport header 6454 attempted-user 2002-1643 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:established,to_server; content:"DESCRIBE"; depth:8; nocase; isdataat:200; content:!"|0A|"; depth:200; classtype:attempted-user; 12422 EXPLOIT RealNetworks Helix RTSP long describe request exploit attempt misc-activity 2007-3040 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"HTTP"; depth:4; content:"|0D 0A 0D 0A C4 AB CD AB|"; within:768; classtype:misc-activity; 12454 MISC asf file download www.microsoft.com/technet/security/bulletin/ms07-051.mspx 21261 attempted-user 2006-6133 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|FE FF|"; content:"|E0 85 9F F2 F9|Oh|10 AB 91 08 00|+'|B3 D9|"; within:16; distance:26; content:!"|01 00 00 00|"; within:4; distance:-20; classtype:attempted-user; 12463 EXPLOIT Crystal Reports RPT file handling buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS07-052.mspx 9382 attempted-admin 2004-0045 tcp $EXTERNAL_NET any -> $HOME_NET 119 flow:to_server,established; content:"cancel"; fast_pattern:only; pcre:"/^cancel\x3a[^\n]{32}/smi"; metadata:service nntp; classtype:attempted-admin; 12464 NNTP cancel overflow attempt 11984 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/code/engine.cgi?"; nocase; http_uri; content:"toolbar_id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A| Toolbar"; fast_pattern:only; classtype:misc-activity; 12481 SPYWARE-PUT Hijacker 411web toolbar runtime detection www.onetwo.ca/spyware.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| ZOMBIES_HTTP_GET"; fast_pattern:only; classtype:misc-activity; 12482 SPYWARE-PUT Trickler pseudorat 0.1b runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453079890 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy_online.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| www.virusprotectpro.com"; fast_pattern:only; classtype:misc-activity; 12483 SPYWARE-PUT Other-Technologies virusprotectpro 3.7 runtime detection www.xp-vista.com/spyware-removal/virusprotectpro-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/members.php?"; fast_pattern; nocase; http_uri; content:"username="; nocase; http_uri; content:"auth="; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=(messages|community)/Ui"; classtype:misc-activity; 12484 SPYWARE-PUT Adware instant buzz runtime detection - ads for members www.spywareremove.com/removeInstantBuzz.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/click.php?"; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www2.instantbuzz.com"; fast_pattern:only; classtype:misc-activity; 12485 SPYWARE-PUT Adware instant buzz runtime detection - random text ads www.spywareremove.com/removeInstantBuzz.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A| TencentTraveler"; fast_pattern:only; classtype:misc-activity; 12486 SPYWARE-PUT Hijacker soso toolbar runtime detection - get weather information www.xblock.com/product_show.php?id=3333 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/q?"; http_uri; content:"w="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"cin="; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid=tb\x2e(addr|sb)/Ui"; classtype:misc-activity; 12487 SPYWARE-PUT Hijacker soso toolbar runtime detection - hijack ie auto searches / soso toolbar searches requests www.xblock.com/product_show.php?id=3333 2010 attempted-dos 1999-0153 tcp $EXTERNAL_NET any -> $HOME_NET 135:139 flow:stateless; flags:U+; classtype:attempted-dos; 1257 DOS Winnuke attack 2845 misc-activity 2001-0552 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; http_uri; metadata:service http; classtype:misc-activity; 1258 WEB-MISC HP OpenView Manager DOS 2868 attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/SWEditServlet"; http_uri; metadata:service http; classtype:attempted-recon; 1259 WEB-MISC SWEditServlet access 5678 attempted-dos 2002-1118 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"COMMAND=SERVICE_CURLOAD"; fast_pattern:only; classtype:attempted-dos; 12594 DOS Oracle TNS Service_CurLoad command 24348 attempted-admin 2007-5003 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:established,to_server; content:"rxrLogin"; nocase; isdataat:281,relative; content:!"~~"; within:279; distance:2; classtype:attempted-admin; 12596 EXPLOIT CA BrightStor LGServer username buffer overflow attempt 15408 suspicious-filename-detect 2005-3573 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"filename*=utf-8"; fast_pattern:only; classtype:suspicious-filename-detect; 12597 DOS utf8 filename transfer attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/site_drivecleaner/ad_keyin/link_keyin/aff_keyin"; fast_pattern; nocase; http_uri; content:"Host|3A| stats.drivecleaner.com"; nocase; classtype:misc-activity; 12620 SPYWARE-PUT Adware drive cleaner 1.0.111 runtime detection www.spywareguide.com/product_show.php?id=3150 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbarinfo.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www.onlinecasinoextra.com"; fast_pattern:only; classtype:successful-recon-limited; 12621 SPYWARE-PUT Trackware extra toolbar 1.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453117295 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/_vti_bin/owssvr.dll"; nocase; http_uri; content:"Host|3A| www.onlinecasinoextra.com"; fast_pattern:only; classtype:successful-recon-limited; 12622 SPYWARE-PUT Trackware extra toolbar 1.0 runtime detection - file download www3.ca.com/securityadvisor/pest/pest.aspx?id=453117295 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/b.cgi?"; nocase; http_uri; content:"bk="; nocase; http_uri; content:"Host|3A| www.onestepsearch.net"; fast_pattern:only; classtype:misc-activity; 12623 SPYWARE-PUT Hijacker onestepsearch 1.0.118 runtime detection www.spywareguide.com/product_show.php?id=3762 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?vn"; nocase; http_uri; content:"partner=onestep"; nocase; http_uri; content:"ptag="; nocase; http_uri; content:"initial_install="; fast_pattern; nocase; http_uri; classtype:misc-activity; 12624 SPYWARE-PUT Hijacker onestepsearch 1.0.118 runtime detection - upgrade www.spywareguide.com/product_show.php?id=3762 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A|"; nocase; content:"Windows Supervisor Report"; distance:0; nocase; content:"<title>Windows Family Safety</title>"; fast_pattern:only; classtype:successful-recon-limited; 12625 SPYWARE-PUT Keylogger windows family safety 2.0 runtime detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453117306 23832 web-application-attack 2007-2581 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/sharepoint/"; http_uri; pcre:"/sharepoint[^\n]*\x22\s*\x29\s*\x3b/Ui"; metadata:service http; classtype:web-application-attack; 12629 WEB-MISC sharepoint cross site scripting attempt www.microsoft.com/technet/security/bulletin/ms07-059.mspx shellcode-detect tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; classtype:shellcode-detect; 12630 SHELLCODE unescape unicode encoded shellcode attempted-user 2007-3897 tcp $EXTERNAL_NET 119 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|12636; 12636 NNTP XHDR buffer overflow attempt www.microsoft.com/technet/security/bulletin/ms07-056.mspx attempted-user 2007-3896 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"%00%00"; pcre:"/(mailto|telnet|news|nntp|snews)\x3A%00%00/i"; classtype:attempted-user; 12643 WEB-CLIENT URI External handler arbitrary command attempt www.microsoft.com/technet/security/bulletin/ms07-061.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.cgi"; nocase; http_uri; content:"Host|3A| www.quickbrowsersearch.com"; fast_pattern:only; classtype:misc-activity; 12652 SPYWARE-PUT Hijacker new.net domain 7.2.2 runtime detection - hijack browser www.spywareguide.com/spydet_417_new_net.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/d/sr/"; nocase; http_uri; content:"xargs="; nocase; http_uri; content:"yargs="; nocase; http_uri; content:"Host|3A| rc12.overture.com"; fast_pattern:only; classtype:misc-activity; 12653 SPYWARE-PUT Hijacker new.net domain 7.2.2 runtime detection - download code www.spywareguide.com/spydet_417_new_net.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/10023rel/landing.php"; fast_pattern; nocase; http_uri; content:"Rabio|3A|"; nocase; content:"search-enhancer"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*search\x2Denhancer/smi"; classtype:misc-activity; 12654 SPYWARE-PUT Hijacker rabio 4.2 runtime detection - hijack browser www.spywareguide.com/spydet_3770_rabio.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search-enhancer/updates/se.info"; fast_pattern; nocase; http_uri; classtype:misc-activity; 12655 SPYWARE-PUT Hijacker rabio 4.2 runtime detection - download updates www.spywareguide.com/spydet_3770_rabio.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/net.php"; http_uri; content:"login="; nocase; http_uri; content:"vk="; nocase; http_uri; content:"Host|3A| cserv.icoosoft.com"; fast_pattern:only; classtype:misc-activity; 12656 SPYWARE-PUT Adware icoo loader 2.5 runtime detection 1 www.spywareremove.com/removeICOOLoader.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upd.html"; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"Host|3A| www.icooloader.com"; fast_pattern:only; classtype:misc-activity; 12657 SPYWARE-PUT Adware icoo loader 2.5 runtime detection 2 www.spywareremove.com/removeICOOLoader.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?proto"; nocase; http_uri; content:"User-Agent|3A| Updater"; nocase; http_header; content:"Host|3A| trial.updates.winsoftware.com"; fast_pattern:only; classtype:misc-activity; 12658 SPYWARE-PUT Adware winantivirus pro 2007 runtime detection www.spywareremove.com/security/winantiviruspro2007-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/get-update.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A| www.thenmnetwork.com"; fast_pattern:only; classtype:misc-activity; 12659 SPYWARE-PUT Trickler zlob media codec runtime detection - automatic updates ca.com/us/securityadvisor/pest/pest.aspx?id=453118001 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/redirect-settings.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A| nameservicedirect.com"; fast_pattern:only; classtype:misc-activity; 12660 SPYWARE-PUT Trickler zlob media codec runtime detection - download redirect domains ca.com/us/securityadvisor/pest/pest.aspx?id=453118001 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"terServer"; nocase; http_header; pcre:"/User-Agent\x3a[^\r\n]*terServer/iH"; metadata:service http; classtype:trojan-activity; 12661 BACKDOOR troll.a runtime detection www.sophos.com/virusinfo/analyses/trojtrolla.html 24348 attempted-admin 2007-5004 tcp $EXTERNAL_NET any -> $HOME_NET 1900 flow:established,to_server; content:"rxrLogin~~"; nocase; content:"~~"; distance:0; pcre:"/^0*(([1-9]\d{3,})|([7-9]\d\d)|(6[7-9]\d)|(66[8-9]))/R"; classtype:attempted-admin; 12665 EXPLOIT CA BrightStor LGSever username buffer overflow attempt 25255 attempted-admin 2007-3872 tcp $EXTERNAL_NET any -> $HOME_NET 5053 flow:established,to_server; content:"|0F|"; depth:1; byte_jump:2,0,relative; byte_test:2,>,0,51,relative; classtype:attempted-admin; 12666 EXPLOIT HP OpenView OVTrace buffer overflow attempt successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/security/visit.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"User-Agent|3A| iebar"; nocase; http_header; classtype:successful-recon-limited; 12673 SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/security/timer.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"seconds="; nocase; http_uri; content:"type="; nocase; http_uri; content:"User-Agent|3A| iebar"; nocase; http_header; classtype:successful-recon-limited; 12674 SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - track activity www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053 misc-activity tcp $HOME_NET 10110 -> $EXTERNAL_NET any flow:established,to_server; content:"VERSI |28|TheTheef|29|"; depth:16; nocase; classtype:misc-activity; 12675 BACKDOOR Versi TheTheef Detection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"quicken_update.php"; fast_pattern; nocase; http_uri; content:"Host|3A| conspy.com"; nocase; classtype:misc-activity; 12676 SPYWARE-PUT Conspy Update Checking Detected www.symantec.com/security_response/writeup.jsp?docid=2004-021210-1340-99&tabid=2se misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ist/softwares/"; fast_pattern; nocase; http_uri; classtype:misc-activity; 12677 SPYWARE-PUT Adware ISTBar runtime detection - softwares www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/realtime-spy/"; nocase; http_uri; content:"Host|3A| www.spytech-web.com"; nocase; http_header; classtype:misc-activity; 12678 SPYWARE-PUT SpyTech Realtime Spy Detection www.spytech-web.com successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"User-Agent|3A| MyWaySearchAssistant"; fast_pattern:only; classtype:successful-recon-limited; 12679 SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar user-agent detection www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405 24542 attempted-user 2007-3369 tcp $EXTERNAL_NET any -> $HOME_NET 5060 flow:established; content:"Via|3A|"; fast_pattern:only; pcre:"/^Via\x3A\s+SIP\x2F2\x2E0\x2F(TCP|UDP)\s+[^\x3B\r\n]{63}/smi"; classtype:attempted-user; 12680 VOIP-SIP Via header hostname buffer overflow attempt - TCP www.ietf.org/rfc/rfc3261.txt misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 5060 flow:established; content:" sip|3A|"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n\x40]{256}/smi"; classtype:misc-activity; 12681 VOIP-SIP SIP URI possible overflow www.ietf.org/rfc/rfc3261.txt 6904 attempted-user 2003-1115 tcp $EXTERNAL_NET any -> $HOME_NET 5060 flow:established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3A\s+[^\r\n]{256}/smi"; classtype:attempted-user; 12682 VOIP-SIP From header field buffer overflow attempt - TCP www.ietf.org/rfc/rfc3261.txt 6904 attempted-user 2003-1115 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"To|3A|"; nocase; pcre:"/^To\x3A\s+[^\r\n]{256}/smi"; classtype:attempted-user; 12683 VOIP-SIP From header field buffer overflow attempt - UDP www.ietf.org/rfc/rfc3261.txt 952 misc-activity tcp $HOME_NET 7323 -> $EXTERNAL_NET any flow:established,to_client; content:"SyGate |0A|"; depth:8; nocase; classtype:misc-activity; 12684 BACKDOOR Sygate Remote Administration Engine marc.info/?l=bugtraq&m=94934808714972&w=2 25743 attempted-admin 2007-4880 tcp $EXTERNAL_NET any -> $HOME_NET 1581 flow:established,to_server; content:"Host|3A|"; nocase; isdataat:64,relative; content:!"|00|"; within:64; content:!"|3A|"; within:64; content:!"|0A|"; within:64; classtype:attempted-admin; 12685 EXPLOIT IBM Tivoli Storage Manger Express CAD Host buffer overflow misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"PWeb"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:".personalweb.com"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*PWeb/smiH"; pcre:"/^Host\x3a[^\r\n]*\x2epersonalweb\x2ecom/smiH"; classtype:misc-activity; 12693 SPYWARE-PUT Hijacker personalweb runtime detection www.spywareguide.com/spydet_3785_personal_web.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?proto"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Updater"; nocase; http_header; content:"Host|3A| free.version.bestsellerantivirus.com"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*Updater/smiH"; classtype:misc-activity; 12694 SPYWARE-PUT Adware avsystemcare runtime detection www.spywareguide.com/spydet_3529_avsystemcare.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/61/param.aspx"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; classtype:misc-activity; 12695 SPYWARE-PUT Adware coopen 3.6.1 runtime detection - initial connection www.spywareguide.com/spydet_3326_coopen.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ForceUpgrade.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"hdid="; nocase; http_uri; classtype:misc-activity; 12696 SPYWARE-PUT Adware coopen 3.6.1 runtime detection - automatic upgrade www.spywareguide.com/spydet_3326_coopen.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data/track.aspx"; nocase; http_uri; content:"Host|3A| data.browseraccelerator.com"; fast_pattern:only; classtype:successful-recon-limited; 12697 SPYWARE-PUT Trackware browser accelerator runtime detection - pass user information to server www.spywareguide.com/spydet_1253_browseracclerator.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"This is an alert notification from NetVizor"; fast_pattern:only; classtype:successful-recon-limited; 12698 SPYWARE-PUT Keylogger net vizo 5.2 runtime detection ca.com/us/securityadvisor/pest/pest.aspx?id=453097457 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,PoisonIvy2.3.0_initDetection; content:"|E0 F5|=|C1 F0 EA 15 DB|C>e|F8 9B E2 14 BA|"; depth:16; classtype:trojan-activity; 12700 BACKDOOR poison ivy 2.3.0 runtime detection - init connection research.sunbelt-software.com/threatdisplay.aspx?name=PoisonIvy&threatid=43179 attempted-admin 2005-1935 tcp $EXTERNAL_NET any -> $HOME_NET 80 flow:established,to_server; content:"Authorization|3A| Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUF"; http_header; classtype:attempted-admin; 12709 SPECIFIC-THREATS ASN.1 constructed bit string www.phreedom.org/solar/exploits/msasn1-bitstring/ attempted-admin 2005-1935 tcp $EXTERNAL_NET any -> $HOME_NET 445 flow:established,to_server; content:"|FF|SMB"; depth:8; content:"+|06 01 05 05 02|"; content:"AAAAAAAAAA"; within:10; distance:21; classtype:attempted-admin; 12710 SPECIFIC-THREATS ASN.1 constructed bit string www.phreedom.org/solar/exploits/msasn1-bitstring/ 26001 attempted-admin 2007-5381 udp $EXTERNAL_NET any -> $HOME_NET 161 content:"+|06 01 02 01 01 05 00|"; byte_test:1,>,99,1,relative; classtype:attempted-admin; 12712 SNMP oversized sysName set request 26374 attempted-admin 2007-4517 tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:established,to_server; content:"pitrig_dropmetadata"; nocase; pcre:"/pitrig_dropmetadata\x28[^\x29]{520,}?/i"; classtype:attempted-admin; 12713 ORACLE pitrig_dropmetadata buffer overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/results.php?target="; nocase; http_uri; content:"Host|3A| www.sidefind.com"; fast_pattern:only; classtype:misc-activity; 12718 SPYWARE-PUT Hijacker side find 1.0 runtime detection - initial connection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088285 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bin/findwhat.dll?"; nocase; http_uri; content:"Host|3A| admedia.xmlsearch.findwhat.com"; fast_pattern:only; classtype:misc-activity; 12719 SPYWARE-PUT Hijacker side find 1.0 runtime detection - hijacks search engine www.ca.com/us/securityadvisor/pest/pest.aspx?id=453088285 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/SpyBase/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AlertSpy"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AlertSpy/smiH"; classtype:misc-activity; 12720 SPYWARE-PUT Adware pestbot runtime detection - update www.spywarewarrior.com/rogue_anti-spyware.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/purchase/"; nocase; http_uri; content:"Host|3A| pestbot.com"; fast_pattern:only; classtype:misc-activity; 12721 SPYWARE-PUT Adware pestbot runtime detection - purchase www.spywarewarrior.com/rogue_anti-spyware.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?adv=usernames&p=1"; fast_pattern; nocase; http_uri; content:"Host|3A| icoonet.com"; nocase; classtype:misc-activity; 12722 SPYWARE-PUT Hijacker sexyvideoscreensaver runtime detection www.spywareguide.com/spydet_2535_sexyvideoscreensaver.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stats/stats.php"; fast_pattern; nocase; http_uri; content:"AppName=WinZix"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; nocase; http_header; pcre:"/^User\x2DAgent\x3a[^\r\n]*WakeSpace/smiH"; classtype:successful-recon-limited; 12723 SPYWARE-PUT Trackware winzix 2.2.0 runtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453118801 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,DarkMoon411_detection; content:"1bsrCwE93uxp"; depth:12; classtype:trojan-activity; 12725 BACKDOOR dark moon 4.11 runtime detection www.spywareguide.com/spydet_2745_dark_moon.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Bandook135_detection; content:"|CF AB A8 A7 AE CF|"; depth:6; classtype:trojan-activity; 12727 BACKDOOR bandook 1.35 runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,DigiWatcher232_detection; content:"Motion"; nocase; content:"detected!"; distance:0; nocase; content:"Watcher"; distance:0; nocase; content:"PC"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"address|3A|"; distance:0; nocase; pcre:"/Motion\s+detected\x21/smi"; pcre:"/Watcher\s+PC\s+IP\s+address\x3A/smi"; classtype:successful-recon-limited; 12759 SPYWARE-PUT Keylogger/RAT digi watcher 2.32 runtime detection www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453119363 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,PoweredKeylogger22_detection; content:"Please,"; nocase; content:"find"; distance:0; nocase; content:"the"; distance:0; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; content:"|28|PKL|29|"; distance:0; nocase; content:"attached"; distance:0; nocase; content:"to"; distance:0; nocase; content:"this"; distance:0; nocase; content:"e-mail."; distance:0; nocase; pcre:"/Please\x2C\s+find\s+the\s+log\s+file\s+\x28PKL\x29\s+attached\s+to\s+this\s+e\x2Dmail\x2E/smi"; classtype:successful-recon-limited; 12761 SPYWARE-PUT Keylogger powered Keylogger 2.2 runtime detection www.ca.com/securityadvisor/pest/pest.aspx?id=453097852 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/gate/chkupdate.php"; nocase; http_uri; content:"Host|3A| www.sunshinespy.com"; fast_pattern:only; classtype:misc-activity; 12789 SPYWARE-PUT Adware sunshine spy 1.0 runtime detection - check update research.sunbelt-software.com/threatdisplay.aspx?name=Sunshine%20Spy&threatid=171191 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/utility/client/images/ProductVersion.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| www.partycasino.com"; nocase; classtype:successful-recon-limited; 12790 SPYWARE-PUT Trackware partypoker runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=PartyPoker&threatid=44086 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/application/app_counter/?gopver="; fast_pattern; nocase; http_uri; classtype:misc-activity; 12791 SPYWARE-PUT Adware gophoria toolbar runtime detection www.spywareguide.com/spydet_3093_gophoria_toolbar.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,SpyLanternKeylogger6_detection; content:"filename=|22|"; nocase; content:".ltr"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*\x2Eltr\x22/smi"; classtype:successful-recon-limited; 12793 SPYWARE-PUT Keylogger spy lantern Keylogger pro 6.0 runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Spy%20Lantern%20Keylogger&threatid=29156 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/SearchFraudDBProcess.php?vbfraudURL="; fast_pattern; nocase; http_uri; classtype:misc-activity; 12794 SPYWARE-PUT Hijacker gralicwrap runtime detection - search frauddb process www.spywareguide.com/spydet_2594_gralicwrap.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/DisplayFraudDBInformation.php?id="; fast_pattern; nocase; http_uri; classtype:misc-activity; 12795 SPYWARE-PUT Hijacker gralicwrap runtime detection - display frauddb information www.spywareguide.com/spydet_2594_gralicwrap.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/htftool.php?q="; nocase; http_uri; content:"Host|3A| happytofind.com"; fast_pattern:only; classtype:successful-recon-limited; 12796 SPYWARE-PUT Trackware happytofind toolbar runtime detection www.spywareguide.com/spydet_3157_happytofind.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xcon/XP/update.enc?="; nocase; http_uri; content:"Host|3A| x-conspywaredestroyer.com"; fast_pattern:only; classtype:misc-activity; 12797 SPYWARE-PUT Adware x-con spyware destroyer eh 3.2.8 runtime detection x-conspywaredestroyer.com attempted-user tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:from_client,established; content:"/readme.eml"; nocase; http_uri; classtype:attempted-user; 1284 WEB-CLIENT readme.eml download attempt www.cert.org/advisories/CA-2001-26.html attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; classtype:attempted-user; 1290 WEB-CLIENT readme.eml autoload attempt www.cert.org/advisories/CA-2001-26.html 2721 web-application-activity 2001-0740 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/graphics/sml3com"; http_uri; metadata:service http; classtype:web-application-activity; 1291 WEB-MISC sml3com access attempted-admin 2007-3901 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<SAMI>"; fast_pattern:only; content:"HEAD"; distance:0; nocase; pcre:"/\x3C[^\x3E\x0a]{500}/Ri"; metadata:policy balanced-ips drop, service http; classtype:attempted-admin; 12983 EXPLOIT DirectX SAMI file CRawParser attempted buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS07-064.mspx 3375 attempted-recon 2001-1252 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/console.exe"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1302 WEB-MISC console.exe access 3375 attempted-recon 2001-1252 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/cs.exe"; nocase; http_uri; metadata:service http; classtype:attempted-recon; 1303 WEB-MISC cs.exe access 3474 misc-attack 2001-0838 tcp $EXTERNAL_NET any -> $HOME_NET 4321 flow:to_server,established; content:"-soa %p"; classtype:misc-attack; 1323 EXPLOIT rwhoisd format string attempt 10790 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,ActiveKeylogger392_detection; content:"filename=|22|"; nocase; content:"akllogs.zip|22|"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*akllogs\x2Ezip\x22/smi"; classtype:successful-recon-limited; 13237 SPYWARE-PUT Keylogger active Keylogger 3.9.2 runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Active%20Key%20Logger&threatid=1622 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/nodes.cgi"; fast_pattern; nocase; http_uri; content:"app=Porn2Peer"; nocase; http_uri; content:"version="; nocase; http_uri; classtype:misc-activity; 13238 SPYWARE-PUT Adware adult p2p 1.5 runtime detection ca.com/us/securityadvisor/pest/pest.aspx?id=453122013 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/links/search.cgi"; nocase; http_uri; content:"query="; nocase; http_uri; content:"Host|3A| www.bluewavelinks.com"; fast_pattern:only; classtype:misc-activity; 13239 SPYWARE-PUT Hijacker blue wave adult links toolbar runtime detection www.bluewavelinks.com misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.liveprotection.net"; fast_pattern:only; classtype:misc-activity; 13240 SPYWARE-PUT Adware live protection 2.1 runtime detection - redirects to purchase page liveprotection.net misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.LiveProtection.net"; fast_pattern:only; classtype:misc-activity; 13241 SPYWARE-PUT Adware live protection 2.1 runtime detection - application updates liveprotection.net misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"NetPumper"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*NetPumper/smiH"; classtype:misc-activity; 13242 SPYWARE-PUT Adware netpumper 1.26 runtime detection www.spywareguide.com/spydet_975_netpumper_1_2.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,ComputerMonitor11_detection; content:"Computer"; nocase; content:"Monitor"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Lastcomfort"; distance:0; nocase; pcre:"/Computer\s+Monitor\s+by\s+Lastcomfort/smi"; classtype:successful-recon-limited; 13244 SPYWARE-PUT Keylogger computer monitor 1.1 by lastcomfort runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Computer%20Monitor&threatid=48576 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Troya_1_4_detection; content:"<title>"; nocase; content:"Troya"; distance:0; nocase; content:"-"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Sma"; distance:0; nocase; content:"Soft"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\x3Ctitle\x3ETroya\s+\x2D\s+by\s+Sma\s+Soft\x3C\x2Ftitle\x3E/smi"; classtype:trojan-activity; 13246 BACKDOOR troya 1.4 runtime detection - init connection research.sunbelt-software.com/threatdisplay.aspx?name=Troya&threatid=41533 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Yuri_1_2_detection; content:"|7C|"; nocase; content:"|7C|"; distance:0; nocase; content:"|7C|Yuri"; distance:0; nocase; content:"v1."; distance:0; nocase; content:"|7C|"; distance:0; nocase; pcre:"/\x7C\d+\x2E\d+\x2E\d+\x2E\d+\x7C.*\x7CYuri\s+v1\x2E\d+\x7C/smi"; classtype:trojan-activity; 13248 BACKDOOR yuri 1.2 runtime detection - init connection research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Yuri%20RAT&threatid=48528 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"nntp|3A|"; nocase; pcre:"/^[^\n]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; classtype:attempted-user; 13269 EXPLOIT Multiple product nntp uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"news|3A|"; nocase; pcre:"/^[^\n]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; classtype:attempted-user; 13270 EXPLOIT Multiple product news uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"telnet|3A|"; nocase; pcre:"/^[^\n]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; classtype:attempted-user; 13271 EXPLOIT Multiple product telnet uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"mailto|3A|"; nocase; content:"|2E|exe"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Eexe((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; classtype:attempted-user; 13272 EXPLOIT Multiple product mailto uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,AdvancedSpy_detection; content:"filename="; nocase; content:"|22|as_report_"; distance:0; nocase; content:".zip|22|"; distance:0; nocase; pcre:"/filename\s*\x3D\s*\x22as\x5Freport\x5F[^\x22]+\x2Ezip\x22/smi"; classtype:successful-recon-limited; 13279 SPYWARE-PUT Keylogger advanced spy 4.0 runtime detection www.advancedspy.net/ successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,EmailSpyMonitor_detection; content:"<title>"; nocase; content:"Email"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Monitor"; distance:0; nocase; content:"Logging"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\x3CTitle\x3EEmail\s+Spy\s+Monitor\s+Logging\s+Report\x3C\x2Ftitle\x3E/smi"; classtype:successful-recon-limited; 13281 SPYWARE-PUT Keylogger email spy monitor 6.9 runtime detection www.spywareremove.com/removeEmailSpyMonitor.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/123bar/search.php?"; fast_pattern; nocase; http_uri; content:"sengine="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A| soft.jily.net"; nocase; classtype:misc-activity; 13282 SPYWARE-PUT Adware jily ie toolbar runtime detection www.www.spywareguide.com/product_show.php?id=2425 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/setting/geturl_kword.html"; fast_pattern; nocase; http_uri; content:"uCode="; nocase; http_uri; content:"Host|3A| oper.dreambar.co.kr"; nocase; classtype:misc-activity; 13283 SPYWARE-PUT Hijacker dreambar runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Dreambar&threatid=97491 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update/webcleaner/en/updatelist.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"NetGuarder WebCleaner"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*NetGuarder\s+WebCleaner/smiH"; classtype:misc-activity; 13284 SPYWARE-PUT Adware netguarder web cleaner runtime detection www.spywareguide.com/spydet_1824_netguarder_web_cleaner.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmhn=www.crawl.ws"; fast_pattern; nocase; http_uri; content:"utmr="; nocase; http_uri; content:"utmp="; nocase; http_uri; classtype:misc-activity; 13285 SPYWARE-PUT Hijacker phazebar runtime detection www.uninstall-spyware.com/uninstallPhaZeBar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stats/stats.php"; fast_pattern; nocase; http_uri; content:"AppName=3wPlayer"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WakeSpace/smiH"; classtype:misc-activity; 13286 SPYWARE-PUT Adware 3wplayer 1.7 runtime detection www.spywareremove.com/remove3wPlayer.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search_total.asp"; nocase; http_uri; content:"recid=directtb"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| search.interich.com"; fast_pattern:only; classtype:misc-activity; 13339 SPYWARE-PUT Hijacker direct toolbar runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Direct.Toolbar&threatid=133225 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/0409/as.asp?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A| www.search4top.com"; fast_pattern:only; classtype:misc-activity; 13340 SPYWARE-PUT Hijacker search4top runtime detection - hijack ie searches and error pages www.spywareguide.com/spydet_3578_search4top.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/adjs.php?"; nocase; http_uri; content:"n="; nocase; http_uri; content:"what="; nocase; http_uri; content:"target="; nocase; http_uri; content:"exclude="; nocase; http_uri; content:"Referer|3A| www.search4top.com/english.asp?q="; fast_pattern:only; classtype:misc-activity; 13341 SPYWARE-PUT Hijacker search4top runtime detection - popup ads www.spywareguide.com/spydet_3578_search4top.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/searchResults.asp"; nocase; http_uri; content:"mainToolbar="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ss="; nocase; http_uri; content:"Host|3A| www.ditto.com"; fast_pattern:only; classtype:misc-activity; 13342 SPYWARE-PUT Hijacker ditto toolbar runtime detection www.emsisoft.it/it/malware/?Adware.Win32.Ditto+Toolbar misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/go/go.php"; nocase; http_uri; content:"Host|3A| 2005-search.com"; fast_pattern:only; classtype:misc-activity; 13343 SPYWARE-PUT Adware 2005-search loader runtime detection www.malware.com.br/cgi/submit?action=list_comp misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/privacy/presale.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"lp="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"air="; nocase; http_uri; content:"lir="; nocase; http_uri; content:"afr="; nocase; http_uri; content:"rem="; nocase; http_uri; classtype:misc-activity; 13344 SPYWARE-PUT Adware yourprivacyguard runtime detection - presale request www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"rc="; nocase; http_uri; content:"v="; nocase; http_uri; content:"abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"os_version="; nocase; http_uri; content:"User-Agent|3A| Updater"; fast_pattern:only; classtype:misc-activity; 13345 SPYWARE-PUT Adware yourprivacyguard runtime detection - update www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,RemoteDesktopInspector_detection; content:"DS"; depth:2; nocase; content:"|00 00 01 00 00 00 00 FE 01 00 00 F1 00 00 00 00|"; within:16; distance:2; nocase; classtype:successful-recon-limited; 13347 SPYWARE-PUT Snoopware remote desktop inspector runtime detection - init connection www.emsisoft.com/es/malware/?Adware.Win32.Remote+Desktop+Inspector 26927 attempted-user 2007-6335 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MZ"; depth:2; content:"PE"; content:"MEW"; content:!"|00|"; within:1; distance:8; metadata:service http; classtype:attempted-user; 13361 EXPLOIT ClamAV MEW PE file integer overflow attempt 26927 attempted-user 2007-6335 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"MZ"; depth:2; content:"PE"; content:"MEW"; content:!"|00|"; within:1; distance:48; metadata:service http; classtype:attempted-user; 13362 EXPLOIT ClamAV MEW PE file integer overflow attempt 20986 attempted-admin 2006-5821 tcp $EXTERNAL_NET any -> $HOME_NET 2513 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|13417; 13417 EXPLOIT Citrix MetaFrame IMA authentication processing buffer overflow attempt support.citrix.com/article/CTX111186 16593 attempted-dos 2006-0717 tcp $EXTERNAL_NET any -> $HOME_NET 389 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13418; 13418 DOS IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt www-1.ibm.com/support/docview.wss?uid=swq21230820 20939 denial-of-service 2006-5779 tcp any any -> $HOME_NET 389 gid:3; classtype:denial-of-service; metadata: engine shared, soid 3|13425; 13425 DOS openldap server bind request denial of service attempt attempted-user 2008-0083 tcp $EXTERNAL_NET 80 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13448; 13448 WEB-CLIENT vbscript/jscript scripting engine begin buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-022.mspx attempted-user 2008-0083 tcp $EXTERNAL_NET 80 -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|13449; 13449 WEB-CLIENT vbscript/jscript scripting engine end buffer overflow attempt www.microsoft.com/technet/security/bulletin/MS08-022.mspx attempted-dos 2008-0084 udp $HOME_NET 67 -> $HOME_NET 68 gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|13450; 13450 BAD-TRAFFIC invalid dhcp offer denial of service attempt www.microsoft.com/technet/security/bulletin/ms08-004.mspx successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,FindNotGuardDog_detection; content:"X-Mailer|3A|"; nocase; content:"FindNot"; distance:0; nocase; content:"GuardDog"; distance:0; nocase; pcre:"/^X\x2DMailer\x3A[^\r\n]*FindNot\s+GuardDog/smi"; classtype:successful-recon-limited; 13480 SPYWARE-PUT Keylogger findnot guarddog 4.0 runtime detection www.findnot.eu/pg_guarddog.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/baidu?"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"word="; nocase; http_uri; classtype:misc-activity; 13481 SPYWARE-PUT Hijacker baidu toolbar runtime detection - hijacks search engine www.spywareguide.com/product_show.php?id=1250 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bdinfo.txt?"; fast_pattern; nocase; http_uri; content:"userip="; nocase; http_uri; content:"url="; nocase; http_uri; content:"navigate="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User\x2DAgent\x3A[^\r\n]*bar\x2Dget/smiH"; classtype:misc-activity; 13482 SPYWARE-PUT Hijacker baidu toolbar runtime detection - discloses information www.spywareguide.com/product_show.php?id=1250 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; flowbits:isset,BaiduToolbar_detection; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User\x2DAgent\x3A[^\r\n]*bar\x2Dget/smiH"; classtype:misc-activity; 13484 SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically www.spywareguide.com/product_show.php?id=1250 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.htm?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"dir="; nocase; http_uri; content:"wd="; nocase; http_uri; content:"wid="; nocase; http_uri; content:"sofa"; nocase; http_uri; content:"version="; nocase; http_uri; content:"soft"; nocase; http_uri; classtype:misc-activity; 13485 SPYWARE-PUT Hijacker sofa toolbar runtime detection - hijacks search engine www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cm?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"010.eqiso.com"; fast_pattern; nocase; http_uri; content:"i="; nocase; http_uri; content:"w="; nocase; http_uri; classtype:misc-activity; 13486 SPYWARE-PUT Hijacker sofa toolbar runtime detection - records search information www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EliteProtector"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*EliteProtector/smiH"; classtype:misc-activity; 13487 SPYWARE-PUT Adware elite protector runtime detection www.threatexpert.com/report.aspx?uid=413fd424-4727-46bb-af1b-125e21b34afb misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/peoplepal/upgrade/?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"PeoplePal Version Checker"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*PeoplePal\s+Version\s+Checker/smiH"; classtype:misc-activity; 13488 SPYWARE-PUT Hijacker people pal toolbar runtime detection - automatic upgrade www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area="; nocase; http_uri; content:"cgid="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"peoplepal"; nocase; http_uri; classtype:misc-activity; 13489 SPYWARE-PUT Hijacker people pal toolbar runtime detection - traffic for searching www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.spy-shredder.com"; fast_pattern:only; classtype:misc-activity; 13490 SPYWARE-PUT Adware spy shredder 2.1 runtime detection - presale request www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123853 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"Host|3A| www.spy-shredder.com"; fast_pattern:only; classtype:misc-activity; 13491 SPYWARE-PUT Adware spy shredder 2.1 runtime detection - update www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453123853 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"word="; nocase; http_uri; content:"tn=deepbar"; fast_pattern; nocase; http_uri; classtype:misc-activity; 13492 SPYWARE-PUT Hijacker deepdo toolbar runtime detection - redirects search engine www.spywareguide.com/product_show.php?id=3367 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download/toolbar.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"DeepdoUpdate"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*DeepdoUpdate/smiH"; classtype:misc-activity; 13493 SPYWARE-PUT Hijacker deepdo toolbar runtime detection - automatic update www.spywareguide.com/product_show.php?id=3367 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| Smart PC Keylogger - Log File Mailing"; fast_pattern:only; content:"X-Mailer|3A| Smart PC Keylogger"; nocase; classtype:successful-recon-limited; 13494 SPYWARE-PUT Keylogger smart pc Keylogger runtime detection www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453124511 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/ezt_serverside.xml"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; classtype:misc-activity; 13495 SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 1 www.spywareremove.com/removeEZTracks.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ezt/toolbar/"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; classtype:misc-activity; 13496 SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 2 www.spywareremove.com/removeEZTracks.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/TBTracking/TrackLinkClicks.cfm?"; fast_pattern; nocase; http_uri; content:"linkID="; nocase; http_uri; content:"ToolBarID="; nocase; http_uri; content:"TBSearch="; nocase; http_uri; content:"Host|3A| ez-tracks.com"; nocase; classtype:misc-activity; 13497 SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - tracking traffic www.spywareremove.com/removeEZTracks.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/jump.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"t2t21"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"siteid="; nocase; http_uri; classtype:misc-activity; 13498 SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 1 www.spywareremove.com/removeHDTBar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"tn=t2t21"; fast_pattern; nocase; http_uri; content:"word="; nocase; http_uri; classtype:misc-activity; 13499 SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 2 www.spywareremove.com/removeHDTBar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/log.htm?"; nocase; http_uri; content:"website_id="; fast_pattern; nocase; http_uri; content:"unique="; nocase; http_uri; content:"all_unique="; nocase; http_uri; content:"dpi="; nocase; http_uri; content:"location="; nocase; http_uri; content:"t2t21"; nocase; http_uri; classtype:misc-activity; 13500 SPYWARE-PUT Hijacker hbtbar runtime detection - log information www.spywareremove.com/removeHDTBar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy2.php?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"currentDate="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"Host|3A| www.contraviruspro.com"; fast_pattern:only; classtype:misc-activity; 13501 SPYWARE-PUT Adware contravirus runtime detection - presale request www.spywareguide.com/spydet_3552_contravirus.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ContraVirusPro"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*ContraVirusPro/smiH"; classtype:misc-activity; 13502 SPYWARE-PUT Adware contravirus runtime detection - update www.spywareguide.com/spydet_3552_contravirus.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ie/"; nocase; http_uri; content:"Host|3A| iedefender.com"; fast_pattern:only; classtype:misc-activity; 13504 SPYWARE-PUT Adware iedefender runtime detection - presale request www.spywareguide.com/spydet_5318_ie_defender.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates.php?"; nocase; http_uri; content:"data1="; nocase; http_uri; content:"data2="; nocase; http_uri; content:"Host|3A| iedefender.com"; fast_pattern:only; classtype:misc-activity; 13505 SPYWARE-PUT Adware iedefender runtime detection - update www.spywareguide.com/spydet_5318_ie_defender.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,Evilotus_detection; content:"|0C|~|7F D8|"; depth:4; content:"|00 00 00|d|C8 00 00|"; within:8; distance:1; content:"|00 00 00|"; within:3; distance:1; classtype:trojan-activity; 13507 BACKDOOR evilotus 1.3.2 runtime detection - init connection www.megasecurity.org/trojans/e/evilotus/Evilotus1.3.2.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Xploit1_4_5_detection; content:"|01 00|"; depth:2; classtype:trojan-activity; 13509 BACKDOOR xploit 1.4.5 pc runtime detection spywaredetector.net/spyware_encyclopedia/Backdoor.Xploit.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/kompasst"; nocase; http_uri; content:".php"; nocase; http_uri; content:"Host|3A| www.kompass-intl.com"; fast_pattern:only; classtype:misc-activity; 13559 SPYWARE-PUT Hijacker kompass toolbar runtime detection - initial connection spywaresignatures.com/details/kompasstoolbar.pdf misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/kinl/static/index_kitoolbar.php?"; fast_pattern; nocase; http_uri; content:"_Choix="; nocase; http_uri; content:"_Lang="; nocase; http_uri; content:"_Zone="; nocase; http_uri; content:"Kprov=Toolbar"; nocase; http_uri; content:"_Keyword="; nocase; http_uri; classtype:misc-activity; 13560 SPYWARE-PUT Hijacker kompass toolbar runtime detection - search traffic spywaresignatures.com/details/kompasstoolbar.pdf misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"emla="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A| www.malware-alarm.com"; fast_pattern:only; classtype:misc-activity; 13561 SPYWARE-PUT Adware malware alarm runtime detection - presale request www.sophos.com/security/analyses/malwarealarm.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A| www.malware-alarm.com"; fast_pattern:only; classtype:misc-activity; 13562 SPYWARE-PUT Adware malware alarm runtime detection - update request www.sophos.com/security/analyses/malwarealarm.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download/2006/order.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"Host|3A| systemdoctor.com"; nocase; classtype:misc-activity; 13563 SPYWARE-PUT Adware system doctor runtime detection - presale request www.spywareguide.com/spydet_3049_systemdoctor_2006.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stats.php?"; nocase; http_uri; content:"site_id=systemdoctor"; fast_pattern; nocase; http_uri; content:"lp="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"USDR"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n].*USDR\d+/smiH"; classtype:misc-activity; 13564 SPYWARE-PUT Adware system doctor runtime detection - update status www.spywareguide.com/spydet_3049_systemdoctor_2006.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/hb.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"q="; nocase; http_uri; content:"id="; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| vscodecsupport.com"; fast_pattern:only; classtype:misc-activity; 13565 SPYWARE-PUT Trickler iecodec runtime detection - initial traffic www.prevx.com/filenames/X743654547251516036-0/IECODEC.DLL.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/a/pic1.gif"; nocase; http_uri; content:"Host|3A| vscodecsupport.com"; fast_pattern:only; classtype:misc-activity; 13566 SPYWARE-PUT Trickler iecodec runtime detection - message dialog www.prevx.com/filenames/X743654547251516036-0/IECODEC.DLL.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"<TITLE>MSN Spy Monitor Logging Report</TITLE>"; fast_pattern:only; classtype:successful-recon-limited; 13567 SPYWARE-PUT Keylogger msn spy monitor runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=MSN%20Spy%20Monitor&threatid=41180 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"This is the file kept 'LOG', of the program Sys="; fast_pattern:only; classtype:successful-recon-limited; 13568 SPYWARE-PUT Keylogger sys keylog 1.3 advanced runtime detection spywaredetector.net/spyware_encyclopedia/Spyware.SysKeylog.htm 6849 attempted-admin 2003-0095 tcp $EXTERNAL_NET any -> $HOME_NET any flow:established,to_server; content:"|E8|15aaaaaaaaaaaaaaaaaaaaa|B9|15^_|81 EF|15|FC F3 A4|"; classtype:attempted-admin; 13618 SPECIFIC-THREATS Oracle database version 9 username buffer overflow attempt otn.oracle.com/deploy/security/pdf/2003alert51.pdf trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"POST /ld/mat18/s.php"; nocase; http_uri; classtype:trojan-activity; 13625 BACKDOOR MBR rootkit HTTP POST activity detected www.sophos.com/security/blog/2008/01/987.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/get.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.allcollisions.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eallcollisions\x2Ecom/smiH"; classtype:misc-activity; 13635 SPYWARE-PUT Trickler downloader trojan.gen runtime detection - get malicious link www.prevx.com/filenames/X1895686732762432147-0/LAF4.EXE.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download.php?"; nocase; http_uri; content:"track_id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dl1.virusheat.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*dl1\x2Evirusheat\x2Ecom/smiH"; classtype:misc-activity; 13636 SPYWARE-PUT Trickler downloader trojan.gen runtime detection - download malicious link www.prevx.com/filenames/X1895686732762432147-0/LAF4.EXE.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy_online.php?"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.virusheat.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2evirusheat\x2ecom/smiH"; classtype:misc-activity; 13637 SPYWARE-PUT Adware virus heat runtime detection - presale request research.sunbelt-software.com/threatdisplay.aspx?name=VirusHeat&threatid=203189 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/db/dbver.dat"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"VirusHeat"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*VirusHeat/smiH"; classtype:misc-activity; 13638 SPYWARE-PUT Adware virus heat runtime detection - initial database connection research.sunbelt-software.com/threatdisplay.aspx?name=VirusHeat&threatid=203189 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/contents2.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.locmag.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*toolbar\x2Elocmag\x2Ecom/smiH"; classtype:misc-activity; 13639 SPYWARE-PUT Hijacker locmag toolbar runtime detection - connection to toolbar www.360zd.com/spyware/433.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/multi_search/"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.locmag.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elocmag\x2Ecom/smiH"; classtype:misc-activity; 13640 SPYWARE-PUT Hijacker locmag toolbar runtime detection - hijacks address bar www.360zd.com/spyware/433.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search/?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.eclickz.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eeclickz\x2Ecom/smiH"; classtype:misc-activity; 13641 SPYWARE-PUT Hijacker eclickz toolbar runtime detection - search traffic www.emsisoft.com/en/malware/?Adware.Win32.eClickz+Toolbar successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"DQp+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fg0KV2luZG93IFRpd"; fast_pattern:only; classtype:successful-recon-limited; 13642 SPYWARE-PUT Keylogger easy Keylogger runtime detection spywaresignatures.com/details.php?spyware=easykeyloggerfree5.0 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/rank/Info.do?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"tbar.chinarank.org.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*tbar\x2Echinarank\x2Eorg\x2Ecn/smiH"; classtype:misc-activity; 13643 SPYWARE-PUT Hijacker zztoolbar runtime detection - toolbar traffic www.spywareguide.com/spydet_5949_zztoolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/s?"; nocase; http_uri; content:"wd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Chinarank"; nocase; http_header; content:"Toolbar|29|"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n].*Chinarank\s+Toolbar\x29/smiH"; classtype:misc-activity; 13644 SPYWARE-PUT Hijacker zztoolbar runtime detection - search traffic www.spywareguide.com/spydet_5949_zztoolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/search.php?"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.mxs.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emxs\x2Eco\x2Ekr/smiH"; classtype:misc-activity; 13645 SPYWARE-PUT Hijacker mxs toolbar runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=MXS.Toolbar&threatid=97487 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/shoppingcart.aspx?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"dlg="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.registrydefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eregistrydefender\x2Ecom/smiH"; classtype:misc-activity; 13646 SPYWARE-PUT Adware registry defender runtime detection - presale request www.emsisoft.com/en/malware/?Adware.Win32.Registry+Defender misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/report_error.aspx?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"e="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"registrydefender.techwithyou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*registrydefender\x2Etechwithyou\x2Ecom/smiH"; classtype:misc-activity; 13647 SPYWARE-PUT Adware registry defender runtime detection - error report request www.emsisoft.com/en/malware/?Adware.Win32.Registry+Defender misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/jsp/"; nocase; http_uri; content:"?st=bar"; nocase; http_uri; content:"searchfor="; fast_pattern; nocase; http_uri; pcre:"/jsp\/(GG(main|img|dirs?)|A(jmain|wns|wimg|wvid|waud)|Lsmain)\x2Ejsp\?st=bar&searchfor=/Ui"; classtype:misc-activity; 13648 SPYWARE-PUT Hijacker mysearch bar 2.0.2.28 runtime detection www.emsisoft.com/en/malware/?Adware.Win32.My+Search+Bar misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/register.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.spywarestop.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2espywarestop\x2ecom/smiH"; classtype:misc-activity; 13649 SPYWARE-PUT Adware spyware stop runtime detection - presale request www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SpywareStop"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpywareStop/smiH"; classtype:misc-activity; 13650 SPYWARE-PUT Adware spyware stop runtime detection - auto updates www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"All In One Keylogger report."; nocase; content:"PGh0bWw+PGhlYWQ+PHRpdGxlPkFsbCBJbiBPbmUgS2V5bG9nZ2VyIFJlcG9y"; fast_pattern:only; classtype:successful-recon-limited; 13652 SPYWARE-PUT Keylogger all in one Keylogger runtime detection www.noadware.net/research/index2.php?item_id=1201&item_name=all-in-one%20spy misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/partners/alex.php?"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashfiesta.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ecashfiesta\x2Ecom/smiH"; classtype:misc-activity; 13653 SPYWARE-PUT Adware cashfiesta adbar runtime detection - updates traffic research.sunbelt-software.com/threatdisplay.aspx?name=CashFiesta%20AdBar&threatid=42051 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:from_server,established; flowbits:isset,Nuclear_RAT_2_1_detection; content:"|1E 0D 00 00 00 00 00 00 00 00 00 00 00|"; depth:13; classtype:trojan-activity; 13655 BACKDOOR nuclear rat 2.1 runtime detection - init connection research.sunbelt-software.com/threatdisplay.aspx?name=Nuclear%20RAT&threatid=43578 6454 attempted-user 2002-1643 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:established,to_server; content:"GET "; depth:4; nocase; isdataat:200; content:!"|0A|"; depth:200; classtype:attempted-user; 13694 EXPLOIT RealNetworks Helix RTSP long get request exploit attempt 6454 attempted-user 2002-1643 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"SETUP"; depth:5; nocase; isdataat:256,relative; content:!"|0A|"; within:256; metadata:service rtsp; classtype:attempted-user; 13695 EXPLOIT RealNetworks Helix RTSP long setup request exploit attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:".htgroup"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1374 WEB-MISC .htgroup access attempted-recon tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; metadata:service http; classtype:attempted-recon; 1375 WEB-MISC sadmind worm access www.cert.org/advisories/CA-2001-11.html 3592 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/?.jsp"; http_uri; metadata:service http; classtype:web-application-attack; 1376 WEB-MISC jrun directory browse attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"uid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SystemDefender"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SystemDefender/smiH"; classtype:misc-activity; 13762 SPYWARE-PUT Adware system defender runtime detection www.enigmasoftware.com/support/systemdefender-removal/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"id="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.winxdefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ewinxdefender\x2Ecom/smiH"; classtype:misc-activity; 13765 SPYWARE-PUT Adware winxdefender runtime detection - presale request www.411-spyware.com/remove-winxdefender misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/checkupdate.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"WinXDefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*WinXDefender\x2Ecom/smiH"; classtype:misc-activity; 13766 SPYWARE-PUT Adware winxdefender runtime detection - auto update www.411-spyware.com/remove-winxdefender successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; flowbits:isset,cyberSitter_detection; content:"CYBERsitter"; nocase; content:"appears"; distance:0; nocase; content:"to"; distance:0; nocase; content:"be"; distance:0; nocase; content:"functioning"; distance:0; nocase; pcre:"/CYBERsitter\s+appears\s+to\s+be\s+functioning/smi"; classtype:successful-recon-limited; 13768 SPYWARE-PUT Keylogger cyber sitter runtime detection www.spywareguide.com/spydet_1056_cybersitter.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/response.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnine.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*searchnine\x2Ecn/smiH"; classtype:misc-activity; 13769 SPYWARE-PUT Hijacker searchnine toolbar runtime detection - hijacks address bar spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/s?"; nocase; http_uri; content:"tn=searchnine_dg"; fast_pattern; nocase; http_uri; content:"wd="; nocase; http_uri; classtype:misc-activity; 13770 SPYWARE-PUT Hijacker searchnine toolbar runtime detection - redirects search function spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.html?"; fast_pattern; nocase; http_uri; content:"catch="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"musicoffaith"; nocase; http_header; pcre:"/^Host\x3a[^\r\n].*musicoffaith/smiH"; classtype:misc-activity; 13771 SPYWARE-PUT Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #1 www.spywareterminator.com/item/3836/MusicOfFaith.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dosearch/search.html?"; fast_pattern; nocase; http_uri; content:"EngineID=musicoffaith"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"refer=mof_toolbar"; nocase; http_uri; content:"keywords="; nocase; http_uri; classtype:misc-activity; 13772 SPYWARE-PUT Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #2 www.spywareterminator.com/item/3836/MusicOfFaith.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"group="; nocase; http_uri; content:"Host|3A|"; nocase; content:"theonlybookmark.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*theonlybookmark\x2ecom/smi"; classtype:misc-activity; 13774 SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #1 virusinfo.prevx.com/viruscenter.asp?GRP=4812100013 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/spbrn/cinst.php?"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"Host|3A|"; nocase; content:"safe-strip-download.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*safe-strip-download\x2ecom/smi"; classtype:misc-activity; 13775 SPYWARE-PUT Trickler trojan ecodec runtime detection - initial server connection #2 virusinfo.prevx.com/viruscenter.asp?GRP=4812100013 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"context="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sys-cleaner.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esys-cleaner\x2Ecom/smiH"; classtype:successful-recon-limited; 13776 SPYWARE-PUT Trackware syscleaner runtime detection - presale traffic spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.SysCleaner.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/get_lic.php?"; fast_pattern; nocase; http_uri; content:"action="; nocase; http_uri; content:"id="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"context="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SysCleaner"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SysCleaner/smiH"; classtype:successful-recon-limited; 13777 SPYWARE-PUT Trackware syscleaner runtime detection - get update spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.SysCleaner.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"<TIT= LE> KGB log </TITLE>"; fast_pattern:only; classtype:successful-recon-limited; 13778 SPYWARE-PUT Keylogger kgb employee monitor runtime detection www.spywareremove.com/removeKGBKeylogger.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xml_toolbar.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.proofile.com"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; pcre:"/^Host\x3a[^\r\n]*www\x2Eproofile\x2Ecom/smiH"; classtype:successful-recon-limited; 13779 SPYWARE-PUT Trackware proofile toolbar runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Proofile%20Toolbar&threatid=127931 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Efind\x2Efm/smiH"; classtype:misc-activity; 13780 SPYWARE-PUT Hijacker find.fm toolbar runtime detection - automatic updates www.spywaresignatures.com/details.php?spyware=find.fmtoolbar misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search.php?"; fast_pattern; nocase; http_uri; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Efind\x2Efm/smiH"; classtype:misc-activity; 13781 SPYWARE-PUT Hijacker find.fm toolbar runtime detection - hijacks address bar www.spywaresignatures.com/details.php?spyware=find.fmtoolbar misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/keyword/keyword_list.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"EzReward"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*EzReward/smiH"; classtype:misc-activity; 13782 SPYWARE-PUT Hijacker ezreward runtime detection www.sophos.com/security/analyses/adware-and-puas/ezreward.html 28730 attempted-admin 2008-1910 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4,>,848,8; classtype:attempted-admin; 13804 MISC Borland Software InterBase ibserver.exe Service Attach Request buffer overflow attempt 15356 attempted-user 2005-2124 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; flowbits:isset,wmf.download; content:"|00 09 00|"; content:"|FF FF FF|"; distance:12; content:"|00|"; within:1; distance:2; pcre:"/[\x00\x01]\x00\x09\x00.*?\xff\xff\xff[\xff\xf7][\x36\x37]\x00/smi"; metadata:service http; classtype:attempted-user; 13807 WEB-CLIENT Windows metafile SetPaletteEntries heap overflow attempt www.microsoft.com/technet/security/bulletin/ms05-053.mspx misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"la=order"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ieantivirus.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smiH"; classtype:misc-activity; 13808 SPYWARE-PUT Adware ie antivirus runtime detection - presale request www.411-spyware.com/remove-ie-antivirus-3-2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates.php?"; nocase; http_uri; content:"data1="; nocase; http_uri; content:"data2="; nocase; http_uri; content:"data3="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ieantivirus.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smiH"; classtype:misc-activity; 13809 SPYWARE-PUT Adware ie antivirus runtime detection - update request www.411-spyware.com/remove-ie-antivirus-3-2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/order_xp.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"liveresponsesite.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*liveresponsesite\x2Ecom/smiH"; classtype:misc-activity; 13811 SPYWARE-PUT Adware xp antivirus runtime detection www.spywareguide.com/spydet_27817_xpantivirus.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"NextPart_2"; nocase; content:"<TIT=|0D 0A|LE>REFOG log</TITLE>"; fast_pattern:only; classtype:successful-recon-limited; 13812 SPYWARE-PUT Keylogger refog Keylogger runtime detection www.refog.com misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"MZKERNEL32.DLL"; nocase; content:"LoadLibraryA"; distance:0; nocase; content:"GetProcAddress"; distance:0; nocase; pcre:"/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress/smi"; classtype:misc-activity; 13813 SPYWARE-PUT Trickler mm.exe runtime detection www.fbmsoftware.com/spyware-net/process/mm_exe/1960/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ZOMBIES_HTTP_GET"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*ZOMBIES\x5fHTTP\x5fGET/smiH"; classtype:trojan-activity; 13815 BACKDOOR zombget.03 runtime detection www.pctools.com/mrc/infections/id/Trojan-Downloader.ZombGet/ misc-attack tcp any any -> any 6666:7000 flow:to_server,established; content:"PRIVMSG"; fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; classtype:misc-attack; 1382 EXPLOIT CHAT IRC Ettercap parse overflow attempt www.bugtraq.org/dev/GOBBLES-12.txt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/viperML/phoenician/phoenician.cab"; fast_pattern; nocase; http_uri; classtype:misc-activity; 13847 SPYWARE-PUT Adware phoenician casino runtime detection www.spywareguide.com/spydet_3441_phoenician_casino.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/registration/logins.jhtml?"; fast_pattern; nocase; http_uri; content:"caller=desktop"; nocase; http_uri; content:"action=check"; nocase; http_uri; content:"username="; nocase; http_uri; content:"dt="; nocase; http_uri; classtype:misc-activity; 13848 SPYWARE-PUT Trickler zwinky runtime detection www.emsisoft.net/fr/malware/?Adware.Win32.Zwinky_Test misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/10025rel/landing.php"; fast_pattern:only; content:"Rabio|3A|"; nocase; content:"RCSE"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*RCSE/smi"; classtype:misc-activity; 13849 SPYWARE-PUT Hijacker rcse 4.4 runtime detection - hijack ie browser www.spywareguide.com/spydet_3770_rabio.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"VER="; nocase; http_uri; content:"AdID="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"SURL="; nocase; http_uri; content:"Host="; nocase; http_uri; content:"ConditionID="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"show.newroogoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*show\x2enewroogoo\x2ecom/smiH"; classtype:misc-activity; 13850 SPYWARE-PUT Adware roogoo 2.0 runtime detection - popup ads www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upgrade/?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"fromid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"show.newRooGoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*show\x2enewRooGoo\x2ecom/smiH"; classtype:misc-activity; 13851 SPYWARE-PUT Adware roogoo 2.0 runtime detection - upgrade www3.ca.com/securityadvisor/pest/pest.aspx?id=453097966 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/banner.php?"; nocase; http_uri; content:"skin=Flexi.skf"; fast_pattern; nocase; http_uri; classtype:misc-activity; 13852 SPYWARE-PUT Hijacker bitroll 5.0 runtime detection www.spywareremove.com/removeBitroll.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/widgets/weather/tb"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"widget.alot.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*widget\x2ealot\x2ecom/smiH"; classtype:misc-activity; 13853 SPYWARE-PUT Hijacker alot toolbar runtime detection - weather request www.spywareremove.com/removeALOTToolbar.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update/update_configs/update_config_11077_0.xml?"; fast_pattern; nocase; http_uri; content:"src_id="; nocase; http_uri; content:"camp_id="; nocase; http_uri; content:"tb_version="; nocase; http_uri; content:"pr=tbar"; nocase; http_uri; content:"client_id="; nocase; http_uri; content:"install_time="; nocase; http_uri; classtype:misc-activity; 13854 SPYWARE-PUT Hijacker alot toolbar runtime detection - auto update www.spywareremove.com/removeALOTToolbar.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/pop.php"; nocase; content:"User-Agent|3A|"; nocase; http_header; content:"SpeedRunner"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpeedRunner/smiH"; classtype:successful-recon-limited; 13855 SPYWARE-PUT Trackware speed runner runtime detection www.bleepingcomputer.com/startups/SpeedRunner-22778.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/binaries/2/2_mslagent.dll"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"HTTPRequest"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*HTTPRequest/smiH"; classtype:trojan-activity; 13856 BACKDOOR wintrim.z runtime detection www.spywareguide.com/product_show.php?id=2225 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"directnameservice2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*directnameservice2008\x2ecom/smiH"; classtype:successful-recon-limited; 13866 SPYWARE-PUT Trackware adclicker-fc.gen.a runtime detection - popup ads www.threatexpert.com/report.aspx?uid=c2699ec8-6cd1-4ad1-ace5-f29bb1133d91 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"cmpname="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"gff="; nocase; http_uri; content:"ed="; nocase; http_uri; content:"ex="; nocase; http_uri; content:"eu="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"intervarioclick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*intervarioclick\x2ecom/smiH"; classtype:successful-recon-limited; 13867 SPYWARE-PUT Trackware adclicker-fc.gen.a runtime detection www.threatexpert.com/report.aspx?uid=c2699ec8-6cd1-4ad1-ace5-f29bb1133d91 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; fast_pattern; nocase; http_uri; content:"err="; nocase; http_uri; classtype:misc-activity; 13868 SPYWARE-PUT Adware antispywaremaster runtime detection - start fake scanning www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data/sale.php?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; nocase; http_uri; content:"nid=UASM"; nocase; http_uri; classtype:misc-activity; 13869 SPYWARE-PUT Adware antispywaremaster runtime detection - sale/register request www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/87/param.aspx?"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"ver=5.0.0.87"; nocase; http_uri; classtype:misc-activity; 13870 SPYWARE-PUT Adware coopen 5.0.0.87 runtime detection - init conn www.spywaresignatures.com/details.php?spyware=coopen misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Adpic/"; fast_pattern; nocase; http_uri; content:".jpg"; nocase; http_uri; pcre:"/\x2fAdpic\x2f\d+\x2f\d+ad\x28\d+\x2c\d+\x2c\d+\x2c\d+\x29\x2ejpg/Ui"; classtype:misc-activity; 13871 SPYWARE-PUT Adware coopen 5.0.0.87 runtime detection - ads www.spywaresignatures.com/details.php?spyware=coopen misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sobar/notice/notice_baiducb.txt?"; fast_pattern; nocase; http_uri; content:"tn=funshion"; nocase; http_uri; content:"ss="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*bar\x2dget/smiH"; classtype:misc-activity; 13872 SPYWARE-PUT Trickler fushion 1.2.4.17 runtime detection - notice www.siteadvisor.pl/sites/funshion.com/downloads/11570528/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/account_logout"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xikee.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xikee\x2ecom/smiH"; classtype:misc-activity; 13873 SPYWARE-PUT Trickler fushion 1.2.4.17 runtime detection - underground traffic www.siteadvisor.pl/sites/funshion.com/downloads/11570528/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"currentDate="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.malwaredestructor.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2emalwaredestructor\x2ecom/smiH"; classtype:misc-activity; 13874 SPYWARE-PUT Adware malware destructor 4.5 runtime detection - order request www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/application/appver.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"MalwareDestructor"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*MalwareDestructor/smiH"; classtype:misc-activity; 13875 SPYWARE-PUT Adware malware destructor 4.5 runtime detection - auto update www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/inst/setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\x2finst\x2fsetup\x5f\d+\x5f\d+\x5f\x2eexe/Ui"; content:"Host|3A| dl.winspywareprotects.com"; nocase; classtype:trojan-activity; 13876 BACKDOOR zlob.acc runtime detection www.spywarelib.com/removal-info/Trojan-Downloader.Zlob.acc/ trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,Trojan-Spy.Win32.Delf.uv_Detection; content:"[|00|u|00|p|00|d|00|a|00|t|00|e|00|]"; content:"[|00|p|00|o|00|p|00|w|00|i|00|n|00|]"; classtype:trojan-activity; 13878 BACKDOOR trojan-spy.win32.delf.uv runtime detection research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Delf.uv&threatid=134949 3723 misc-attack 2007-2386 udp $EXTERNAL_NET any -> $HOME_NET any content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; classtype:misc-attack; 1388 MISC UPnP Location overflow attempt 10829 www.microsoft.com/technet/security/bulletin/MS01-059.mspx 3769 misc-attack 2002-0005 tcp $AIM_SERVERS any -> $HOME_NET any flow:to_client,established; content:"aim|3A|AddGame?"; fast_pattern:only; classtype:misc-attack; 1393 MISC AIM AddGame attempt www.w00w00.org/files/w00aimexp/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UPCPC"; nocase; http_uri; content:"nid=UPCPC"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"UPCPC"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*UPCPC/smiH"; classtype:misc-activity; 13930 SPYWARE-PUT Trickler pc privacy cleaner runtime detection - order/register request www.xp-vista.com/spyware-removal/pcprivacycleaner-pc-privacy-cleaner-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"proto="; nocase; http_uri; content:"ac="; nocase; http_uri; content:"abbr=UPCPC"; nocase; http_uri; content:"v="; nocase; http_uri; content:"rc=UPCPC"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"PcPcUpdater"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*PcPcUpdater/smiH"; classtype:misc-activity; 13931 SPYWARE-PUT Trickler pc privacy cleaner runtime detection - auto update www.xp-vista.com/spyware-removal/pcprivacycleaner-pc-privacy-cleaner-removal-instructions successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/ip.php"; nocase; content:"User-Agent|3A|"; nocase; http_header; content:"opera"; nocase; http_header; content:"Host|3A| rightonadz.biz"; distance:0; nocase; pcre:"/^User-Agent\x3a[^\r\n]*opera/smiH"; pcre:"/^Host\x3a[^\r\n]*rightonadz\x2ebiz/smiH"; classtype:successful-recon-limited; 13932 SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - post user info to remote server www.nettrafficchat.com/showthread.php?t=1347 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/123kah.php"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"rightonadz.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*rightonadz\x2ebiz/smiH"; classtype:successful-recon-limited; 13933 SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - ads www.nettrafficchat.com/showthread.php?t=1347 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/jump.php?"; nocase; http_uri; content:"wmid="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"softwarereferral.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*softwarereferral\x2ecom/smiH"; classtype:misc-activity; 13934 SPYWARE-PUT Hijacker mediatubecodec 1.470.0 runtime detection - hijack ie research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.NewMediaCodec&threatid=149335 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/thandler.php?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"safewebnavigate2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*safewebnavigate2008\x2ecom/smiH"; classtype:misc-activity; 13935 SPYWARE-PUT Hijacker mediatubecodec 1.470.0 runtime detection - download other malware research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.NewMediaCodec&threatid=149335 misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,Dropper_Agent.rqg_Detection; content:"|7C|http|3A|//xxx.ads555.com/rj/cc1.exe|7C|"; classtype:misc-activity; 13936 SPYWARE-PUT Trickler dropper agent.rqg runtime detection - call home virscan.org/report/2b00cbb9a861bd3dd79ef19a75de92f8.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/topnew/passdomain.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.web228.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eweb228\x2ecn/smiH"; classtype:misc-activity; 13937 SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - call home www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,AdWare_Ejik.ec_Detection; content:"|3B|aa88.dll|3B|"; pcre:"/^\d+\x3baa88\x2edll\x3b\d+\x3b/smi"; classtype:misc-activity; 13939 SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - auto update www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/105/bmw.q?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"44.770304123.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*44\x2e770304123\x2ecn/smiH"; classtype:misc-activity; 13940 SPYWARE-PUT Hijacker win32.bho.bgf runtime detection www.threatexpert.com/report.aspx?uid=77b8d3c8-e630-4719-b6fd-b5461820d8f1 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"key="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"bfirst.info"; nocase; http_header; classtype:trojan-activity; 13941 BACKDOOR trojan agent.nac runtime detection - click fraud research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.nac&threatid=234088 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/fd/sea.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3A| clk_jdfhid"; nocase; http_header; classtype:trojan-activity; 13942 BACKDOOR trojan agent.nac runtime detection - call home research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.nac&threatid=234088 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/grand/data/whitelist.txt"; nocase; http_uri; classtype:trojan-activity; 13944 BACKDOOR trojan downloader small.gy runtime detection - get whitelist www.iss.net/security_center/reference/vuln/Trojan.Spy.Small.GY.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/grand/addme.php?"; nocase; http_uri; content:"botid="; nocase; http_uri; content:"port="; nocase; http_uri; content:"smtp="; nocase; http_uri; content:"ipstring="; nocase; http_uri; content:"connect,ok"; nocase; http_uri; classtype:trojan-activity; 13945 BACKDOOR trojan downloader small.gy runtime detection - update www.iss.net/security_center/reference/vuln/Trojan.Spy.Small.GY.html 3517 misc-attack 2001-0803 tcp $EXTERNAL_NET any -> $HOME_NET 6112 flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; classtype:misc-attack; 1398 EXPLOIT CDE dtspcd exploit attempt 10833 www.cert.org/advisories/CA-2002-01.html 30341 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.m3u.download; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; classtype:attempted-user; 14019 WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt 30341 attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.pls.download; content:"Content-Length"; nocase; http_header; pcre:"/Content-Length\x3a\s*(\d{7}|[5-9]\d{5})/iH"; metadata:service http; classtype:attempted-user; 14020 WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AdwareAlert"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AdwareAlert/smiH"; classtype:misc-activity; 14054 SPYWARE-PUT Adware AdwareALERT runtime detection - auto update www.411-spyware.com/remove-adwarealert misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dirsrch/default.asp?"; fast_pattern; nocase; http_uri; content:"MT="; nocase; http_uri; content:"mode=toolbar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.rediff.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*search\x2erediff\x2ecom/smiH"; classtype:misc-activity; 14055 SPYWARE-PUT Hijacker rediff toolbar runtime detection - hijack ie auto search www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/toolbar/"; nocase; http_uri; content:"/news.xml"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"server.toolbar.rediff.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*server\x2etoolbar\x2erediff\x2ecom/smiH"; classtype:misc-activity; 14056 SPYWARE-PUT Hijacker rediff toolbar runtime detection - get news info www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/ successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/murzilka2//data.php"; fast_pattern:only; content:"phid="; nocase; content:"lg="; nocase; content:"user="; nocase; content:"User-Agent|3A|"; nocase; http_header; content:"DMFR"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*DMFR/smiH"; classtype:successful-recon-limited; 14057 SPYWARE-PUT Trackware murzilka2 runtime detection www.liveinternet.ru/users/murzilka2/ misc-activity udp $HOME_NET any -> $EXTERNAL_NET 80 content:"|01 0F|_H"; depth:4; content:"|00 00 00|"; offset:26; nocase; content:"|00 00|http|3A|//"; offset:1; nocase; classtype:misc-activity; 14058 SPYWARE-PUT Hijacker cpush 2 runtime detection - pass info to controlling server www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/fav.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"t="; nocase; http_uri; content:"u="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"CPUSH_HOMEPAGE"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*CPUSH\x5fHOMEPAGE/smiH"; classtype:misc-activity; 14059 SPYWARE-PUT Hijacker cpush 2 runtime detection - hijack ie home page www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cpush/version.txt?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"CPUSH_UPDATER"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*CPUSH\x5fUPDATER/smiH"; classtype:misc-activity; 14060 SPYWARE-PUT Hijacker cpush 2 runtime detection - auto update www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UAMG"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"al="; nocase; http_uri; content:"af="; nocase; http_uri; content:"an="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"nid=3P_UAMG"; nocase; http_uri; classtype:misc-activity; 14061 SPYWARE-PUT Trickler antimalware guard runtime detection - order/register request www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"ac="; nocase; http_uri; content:"abbr=3P_UAMG"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"rc=3P_UAMG"; nocase; http_uri; classtype:misc-activity; 14062 SPYWARE-PUT Trickler antimalware guard runtime detection - auto update www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search/search.php?"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashon.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ecashon\x2eco\x2ekr/smiH"; classtype:misc-activity; 14063 SPYWARE-PUT Hijacker cashon runtime detection - hijack ie searches vil.nai.com/vil/content/v_142287.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/app/cashonband/bin/CashOnUpdate.exe"; fast_pattern; nocase; http_uri; classtype:misc-activity; 14064 SPYWARE-PUT Hijacker cashon runtime detection - auto update vil.nai.com/vil/content/v_142287.htm successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/th/script.php?"; nocase; content:"boundary=--__abcd-xyz789__--"; distance:0; nocase; content:"name=|22|Module|22 0D 0A 0D 0A|"; distance:0; nocase; content:"IE"; distance:0; nocase; pcre:"/name\x3d\x22Module\x22\x0d\x0a\x0d\x0a(IEGrabber|IEInjector|IEFaker|IEKeylogger|IETanGrabber|IEScrGrabber|IECertGrab|IEFileGrabber)/smi"; classtype:successful-recon-limited; 14065 SPYWARE-PUT Keylogger emptybase j runtime detection www.sophos.com/security/analyses/viruses-and-spyware/malencpkay.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tba/cm"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.netbios-local.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2enetbios\x2dlocal\x2ecom/smiH"; classtype:misc-activity; 14067 SPYWARE-PUT Adware swizzor runtime detection www.411-spyware.com/remove-swizzor misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/st?"; nocase; http_uri; content:"ad_type=pop"; nocase; http_uri; content:"ad_size="; nocase; http_uri; content:"section="; nocase; http_uri; content:"banned_pop_types="; nocase; http_uri; content:"pop_times="; nocase; http_uri; content:"http|3A|//mtn5.goole.ws/ac.php"; distance:0; nocase; pcre:"/^Referer\x3a[^\r\n]*http\x3A\x2F\x2Fmtn5\x2Egoole\x2Ews\x2Fac\x2Ephp/smi"; classtype:misc-activity; 14068 SPYWARE-PUT Adware rond runtime detection www.spywaredetector.net/spyware_encyclopedia/Adware.Rond.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.php?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bravesentry.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ebravesentry\x2ecom/smiH"; classtype:misc-activity; 14069 SPYWARE-PUT Adware brave sentry runtime detection - order request www.spywareremove.com/removeBravesentry.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"d="; nocase; http_uri; content:"vs="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bravesentry.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ebravesentry\x2ecom/smiH"; classtype:misc-activity; 14070 SPYWARE-PUT Adware brave sentry runtime detection - self update www.spywareremove.com/removeBravesentry.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/id/"; nocase; http_uri; content:"free-viruscan.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*free\x2Dviruscan\x2Ecom/smi"; classtype:misc-activity; 14071 SPYWARE-PUT Hijacker Adware bho.gen runtime detection - pop-up window traffic #1 www.pctools.com/mrc/infections/id/Adware.BHO.GEN/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?pp"; nocase; http_uri; content:"id="; nocase; http_uri; content:"free-viruscan.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*free\x2Dviruscan\x2Ecom/smi"; classtype:misc-activity; 14072 SPYWARE-PUT Hijacker Adware bho.gen runtime detection - pop-up window traffic #2 www.pctools.com/mrc/infections/id/Adware.BHO.GEN/ misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download.php"; nocase; http_uri; content:"ieantivirus.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*ieantivirus\x2Ecom/smi"; classtype:misc-activity; 14073 SPYWARE-PUT Hijacker Adware bho.gen runtime detection - prompt download page www.pctools.com/mrc/infections/id/Adware.BHO.GEN/ successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| SpyBoss Pro - Log File Mailing"; fast_pattern:only; content:"X-Mailer|3A| SpyBoss Pro"; nocase; classtype:successful-recon-limited; 14074 SPYWARE-PUT Keylogger spybosspro 4.2 runtime detection www.411-spyware.com/remove/spyboss-pro successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Subject|3A| Ultimate Keylogger Report from"; fast_pattern:only; content:"Activity Report from Ultimate"; nocase; classtype:successful-recon-limited; 14075 SPYWARE-PUT Keylogger ultimate Keylogger pro runtime detection www.411-spyware.com/remove-ultimate-keylogger misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/search/"; nocase; http_uri; content:"q="; nocase; http_uri; content:"pstv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.powersearchtool.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2epowersearchtool\x2ecom/smiH"; classtype:misc-activity; 14076 SPYWARE-PUT Hijacker Adware win32 mostofate runtime detection - hijack search www.f-secure.com/sw-desc/adware_w32_mostofate.shtml misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/results/?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"pstv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.powersearchtool.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2epowersearchtool\x2ecom/smiH"; classtype:misc-activity; 14077 SPYWARE-PUT Hijacker Adware win32 mostofate runtime detection - redirect search results www.f-secure.com/sw-desc/adware_w32_mostofate.shtml trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/scripts/worker.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"hujashka.com"; nocase; http_header; classtype:trojan-activity; 14081 BACKDOOR trojan agent.aarm runtime detection - call home www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/spm/"; nocase; http_uri; content:"id="; nocase; http_uri; content:"tick="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"smtp="; nocase; http_uri; classtype:trojan-activity; 14082 BACKDOOR trojan agent.aarm runtime detection - spread via spam www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/retadpu.php?"; nocase; http_uri; content:"version="; nocase; http_uri; content:"configversion="; nocase; http_uri; content:"GUID="; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"p="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"wr.mcboo.com"; nocase; http_header; classtype:trojan-activity; 14083 BACKDOOR trojan agent.aarm runtime detection - download other malware www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/panel/cfg.bin"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"leacherz.net"; nocase; http_header; classtype:trojan-activity; 14084 BACKDOOR infostealer.banker.c runtime detection - download cfg.bin www.symantec.com/business/security_response/writeup.jsp?docid=2007-040208-5335-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/panel/s.php?"; nocase; content:"Host|3A|"; nocase; http_header; content:"leacherz.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*leacherz\x2enet/smiH"; classtype:trojan-activity; 14085 BACKDOOR infostealer.banker.c runtime detection - collect user info www.symantec.com/business/security_response/writeup.jsp?docid=2007-040208-5335-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?VFJDSz0"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.visit-tracker.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Evisit\x2Dtracker\x2Ebiz/smiH"; classtype:trojan-activity; 14086 BACKDOOR Adware.Win32.Agent.BM runtime detection #1 www.threatexpert.com/threats/not-a-virus-adware-win32-agent-bm.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/template/top.html"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"http|3A|//www.visit-tracker.biz/?VFJDSz0"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*http\x3A\x2F\x2Fwww\x2Evisit\x2Dtracker\x2Ebiz\x2F\x3FVFJDSz0/smiH"; classtype:trojan-activity; 14087 BACKDOOR Adware.Win32.Agent.BM runtime detection #2 www.threatexpert.com/threats/not-a-virus-adware-win32-agent-bm.html 4089 misc-attack 2002-0013 udp $EXTERNAL_NET any -> $HOME_NET 161:162 flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:service snmp; classtype:misc-attack; 1409 SNMP community string buffer overflow attempt www.cert.org/advisories/CA-2002-03.html misc-activity tcp $HOME_NET 31785 -> $EXTERNAL_NET any flow:established,from_server; content:"host"; classtype:misc-activity; 141 BACKDOOR HackAttack 1.20 Connect 7212 attempted-recon 2002-0013 tcp $EXTERNAL_NET any -> $HOME_NET 161 flow:to_server,established; content:"public"; metadata:service snmp; classtype:attempted-recon; 1412 SNMP public access tcp 7212 attempted-recon 2002-0013 udp $EXTERNAL_NET any -> $HOME_NET 161 flow:to_server; content:"private"; metadata:service snmp; classtype:attempted-recon; 1413 SNMP private access udp 4132 attempted-recon 2002-0013 tcp $EXTERNAL_NET any -> $HOME_NET 161 flow:to_server,established; content:"private"; metadata:service snmp; classtype:attempted-recon; 1414 SNMP private access tcp 4089 misc-attack 2002-0013 udp $EXTERNAL_NET any -> $HOME_NET 161:162 flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:service snmp; classtype:misc-attack; 1422 SNMP community string buffer overflow attempt with evasion www.cert.org/advisories/CA-2002-03.html misc-attack udp $EXTERNAL_NET any -> $HOME_NET 161 content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:service snmp; classtype:misc-attack; 1426 SNMP PROTOS test-suite-req-app attempt www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html web-application-attack 2008-3007 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:web-application-attack; metadata: engine shared, soid 3|14262; 14262 WEB-CLIENT OneNote iframe caller exploit attempt www.microsoft.com/technet/security/bulletin/MS08-055.mspx misc-attack udp $EXTERNAL_NET any -> $HOME_NET 162 content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:service snmp; classtype:misc-attack; 1427 SNMP PROTOS test-suite-trap-app attempt www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/.history"; http_uri; metadata:service http; classtype:web-application-attack; 1433 WEB-MISC .history access 337 web-application-attack 1999-0408 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/.bash_history"; http_uri; metadata:service http; classtype:web-application-attack; 1434 WEB-MISC .bash_history access misc-activity tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 flow:to_server,established; content:"Girl"; classtype:misc-activity; 145 BACKDOOR GirlFriendaccess trojan-activity tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any flow:established,from_server; content:"NetSphere"; classtype:trojan-activity; 146 BACKDOOR NetSphere access 24765 attempted-user 2007-3624 tcp $EXTERNAL_NET any -> $HOME_NET [8100,3600] flow:to_server,established; content:"GET /msgserver/html/group?group="; nocase; isdataat:498,relative; content:!" "; within:498; classtype:attempted-user; 14600 EXPLOIT SAP Message Server Heap buffer overflow attempt 25917 attempted-user 2007-5244 tcp $EXTERNAL_NET any -> $HOME_NET 3050 flow:to_server,established; content:"|00 00 00 13|"; byte_test:4,>,1024,4,relative; classtype:attempted-user; 14602 EXPLOIT Borland Interbase open_marker_file overflow attempt 23648 attempted-admin 2007-2293 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"a=T38FaxRateManagement|3A|"; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^a=T38FaxRateManagement\x3A[^\r\n]{256}/smi"; classtype:attempted-admin; 14608 VOIP-SIP SDP T.38 fax rate management attribute possible buffer overflow 23648 attempted-admin 2007-2293 udp $EXTERNAL_NET any -> $HOME_NET 5060 content:"Content-Type|3A|"; nocase; content:"application/sdp"; distance:0; nocase; content:"a=T38FaxUdpEC|3A|"; distance:0; nocase; pcre:"/^Content-Type\x3A\s+application\x2Fsdp/smi"; pcre:"/^a=T38FaxUdpEC\x3A[^\r\n]{256}/smi"; classtype:attempted-admin; 14609 VOIP-SIP SDP T.38 fax UDP EC attribute possible buffer overflow trojan-activity tcp $HOME_NET 6969 -> $EXTERNAL_NET any flow:established,from_server; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; classtype:trojan-activity; 147 BACKDOOR GateCrasher www.spywareguide.com/product_show.php?id=973 attempted-admin 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET [80,3443] flow:to_server,established; content:"OvCGI/connectedNodes.ovpl"; fast_pattern:only; pcre:"/\x3fnode\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i"; metadata:service http; classtype:attempted-admin; 14774 EXPLOIT HP OpenView Network Node Manger connectedNodes command injection attempt attempted-admin 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET [80,3443] flow:to_server,established; content:"OvCGI/cdpView.ovpl"; fast_pattern:only; pcre:"/\x3fcdpnode\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i"; metadata:service http; classtype:attempted-admin; 14775 EXPLOIT HP OpenView Network Node Manger cdpnode command injection attempt attempted-admin 2005-2773 tcp $EXTERNAL_NET any -> $HOME_NET [80,3443] flow:to_server,established; content:"OvCGI/freeIPaddrs.ovpl"; fast_pattern:only; pcre:"/\x3fnetid\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i"; metadata:service http; classtype:attempted-admin; 14776 EXPLOIT HP OpenView Network Node Manager freeIPaddrs command injection attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/~nobody"; http_uri; metadata:service http; classtype:web-application-attack; 1489 WEB-MISC /~nobody access 10484 1704 web-application-attack 2000-1036 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/newuser?Image=../.."; http_uri; metadata:service http; classtype:web-application-attack; 1492 WEB-MISC RBS ISP /newuser directory traversal attempt 10521 1704 web-application-activity 2000-1036 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/newuser"; http_uri; metadata:service http; classtype:web-application-activity; 1493 WEB-MISC RBS ISP /newuser access 10521 193 web-application-activity 1999-0449 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/exair/search/"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1500 WEB-MISC ExAir access 10004 misc-activity udp $EXTERNAL_NET any -> $HOME_NET 7001 flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; classtype:misc-activity; 1504 MISC AFS access 10441 protocol-command-decode tcp $EXTERNAL_NET 502 -> $HOME_NET any flow:established,to_client; byte_test:1,&,128,7; classtype:protocol-command-decode; 15071 SCADA Modbus exception returned www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; byte_test:2,>,0,2; classtype:protocol-command-decode; 15072 SCADA Modbus invalid protocol version www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; byte_test:2,>,256,4; classtype:protocol-command-decode; 15073 SCADA Modbus oversized payload www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; byte_test:1,>,64,7; byte_test:1,<,73,7; classtype:protocol-command-decode; 15074 SCADA Modbus user-defined function code - 65 to 72 www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; byte_test:1,>,99,7; byte_test:1,<,111,7; classtype:protocol-command-decode; 15075 SCADA Modbus user-defined function code - 100 to 110 www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|0F|"; depth:1; offset:7; byte_test:2,>,1968,2,relative; classtype:protocol-command-decode; 15076 SCADA Modbus write multiple coils - too many outputs www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|01|"; depth:1; offset:7; byte_test:2,>,2000,2,relative; classtype:protocol-command-decode; 15077 SCADA Modbus read multiple coils - too many inputs www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf attempted-admin 2008-1852 tcp $EXTERNAL_NET any -> $HOME_NET 2954 flow:to_server,established; pcre:"/^((22|33|35|36|44) \d+ [^\s\x00]{129})|((25|45) \d+ \d+ \d+ [^\s\x00]{129})|((46|47) \d+ \d+ [^\x0a]{129})|((61|62) [^\x0a]{129})/smi"; classtype:attempted-admin; 15078 EXPLOIT HP Openview Network Node Manager OValarmsrv buffer overflow attempt attempted-user 2008-4259 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15115; 15115 WEB-CLIENT WebDAV pathname buffer overflow attempt www.microsoft.com/technet/security/Bulletin/MS08-073.mspx web-application-activity tcp $EXTERNAL_NET any -> $HOME_NET 8000 flow:to_server,established; content:"/nstelemetry.adp"; metadata:service http; classtype:web-application-activity; 1518 WEB-MISC nstelemetry.adp access 10753 misc-activity tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; 152 BACKDOOR BackConstruction 2.1 Connection web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/server-info"; http_uri; metadata:service http; classtype:web-application-activity; 1520 WEB-MISC server-info access httpd.apache.org/docs/mod/mod_info.html web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/server-status"; http_uri; metadata:service http; classtype:web-application-activity; 1521 WEB-MISC server-status access httpd.apache.org/docs/mod/mod_info.html 4149 web-application-attack 2002-0307 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ans.pl?p=../../"; http_uri; metadata:service http; classtype:web-application-attack; 1522 WEB-MISC ans.pl attempt 10875 4149 web-application-activity 2002-0307 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/ans.pl"; http_uri; metadata:service http; classtype:web-application-activity; 1523 WEB-MISC ans.pl access 10875 1025 web-application-attack 2000-0191 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:service http; classtype:web-application-attack; 1524 WEB-MISC Axis Storpoint CD attempt 10023 1025 web-application-activity 2000-0191 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/config/html/cnf_gi.htm"; http_uri; metadata:service http; classtype:web-application-activity; 1525 WEB-MISC Axis Storpoint CD access 10023 web-application-attack 2008-4014 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/BPELConsole/default/activities.jsp?'"; http_uri; metadata:policy balanced-ips drop, service http; classtype:web-application-attack; 15256 ORACLE BPEL process manager XSS injection attempt www.securityfocus.com/archive/1/500060 1459 web-application-activity 2000-0629 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:service http; classtype:web-application-activity; 1528 WEB-MISC BBoard access 10507 24004 attempted-user 2007-2788 tcp $HOME_NET 80 -> $EXTERNAL_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|15328; 15328 WEB-CLIENT Sun JDK image parsing library ICC buffer overflow attempt scary.beasts.org/security/CESA-2006-004.html 1156 attempted-admin 2000-0341 tcp $EXTERNAL_NET any -> $HOME_NET 119 flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; metadata:service nntp; classtype:attempted-admin; 1538 NNTP AUTHINFO USER overflow attempt 10388 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 02|"; depth:2; offset:10; classtype:protocol-command-decode; 15389 SCADA OMRON-FINS memory area write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 03|"; depth:2; offset:10; classtype:protocol-command-decode; 15390 SCADA OMRON-FINS memory area fill attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 05|"; depth:2; offset:10; classtype:protocol-command-decode; 15391 SCADA OMRON-FINS memory area transfer attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02 02|"; depth:2; offset:10; classtype:protocol-command-decode; 15392 SCADA OMRON-FINS parameter area write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02 03|"; depth:2; offset:10; classtype:protocol-command-decode; 15393 SCADA OMRON-FINS parameter area clear attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 04|"; depth:2; offset:10; classtype:protocol-command-decode; 15394 SCADA OMRON-FINS program area protect attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 07|"; depth:2; offset:10; classtype:protocol-command-decode; 15396 SCADA OMRON-FINS program area write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 08|"; depth:2; offset:10; classtype:protocol-command-decode; 15397 SCADA OMRON-FINS program area clear attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 01|"; depth:2; offset:10; classtype:protocol-command-decode; 15398 SCADA OMRON-FINS RUN attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 02|"; depth:2; offset:10; classtype:protocol-command-decode; 15399 SCADA OMRON-FINS STOP attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|07 02|"; depth:2; offset:10; classtype:protocol-command-decode; 15400 SCADA OMRON-FINS clock write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|0C 01|"; depth:2; offset:10; classtype:protocol-command-decode; 15401 SCADA OMRON-FINS access right acquire attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|0C 02|"; depth:2; offset:10; classtype:protocol-command-decode; 15402 SCADA OMRON-FINS access right forced acquire attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 03|"; depth:2; offset:10; classtype:protocol-command-decode; 15403 SCADA OMRON-FINS single file write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 05|"; depth:2; offset:10; classtype:protocol-command-decode; 15404 SCADA OMRON-FINS file delete attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|23 01|"; depth:2; offset:10; classtype:protocol-command-decode; 15405 SCADA OMRON-FINS forced set/reset attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|23 01|"; depth:2; offset:10; classtype:protocol-command-decode; 15406 SCADA OMRON-FINS forced set/reset cancel attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 11|"; depth:2; offset:10; classtype:protocol-command-decode; 15407 SCADA OMRON-FINS file memory write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|02|!"; depth:2; offset:10; classtype:protocol-command-decode; 15408 SCADA OMRON-FINS data link table write attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|04 03|"; depth:2; offset:10; classtype:protocol-command-decode; 15409 SCADA OMRON-FINS RESET attempt forums.mrplc.com/index.php?download=467 attempted-recon tcp $EXTERNAL_NET any -> $HOME_NET 79 flow:to_server,established; content:"version"; metadata:service finger; classtype:attempted-recon; 1541 FINGER version query protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"&|02|"; depth:2; offset:10; classtype:protocol-command-decode; 15410 SCADA OMRON-FINS name delete attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|22 04|"; depth:2; offset:10; classtype:protocol-command-decode; 15411 SCADA OMRON-FINS memory card format attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 02|"; depth:2; offset:10; isdataat:10,relative; classtype:protocol-command-decode; 15412 SCADA OMRON-FINS memory area write overflow attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|01 03|"; depth:2; offset:10; isdataat:8,relative; classtype:protocol-command-decode; 15413 SCADA OMRON-FINS memory area fill overflow attempt forums.mrplc.com/index.php?download=467 protocol-command-decode udp $EXTERNAL_NET any -> $HOME_NET 9600 flow:established,to_server; byte_test:1,!&,64,0; content:"|00 02|"; depth:2; offset:1; content:"|03 05 00 00 00 00 00 00 00 FF FF FF FF|"; depth:13; offset:10; detection_filter:track by_src, count 10, seconds 60; classtype:protocol-command-decode; 15414 SCADA OMRON-FINS program area protect clear brute force attempt forums.mrplc.com/index.php?download=467 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"o=c&s=00000"; nocase; pcre:"/^POST \x2F[A-Z\d]{16} /smi"; metadata:impact_flag red, service http; classtype:trojan-activity; 15423 BOTNET-CNC Clampi virus communication detected www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99 34061 attempted-dos 2009-0879 tcp $EXTERNAL_NET any -> $HOME_NET 6988 flow:to_server,established; content:"POST"; fast_pattern:only; content:"HTTP"; distance:1; nocase; pcre:"/^.*POST\s+\x2f[^\s\x2f]{9,}\x2f[^\s]{235}/i"; classtype:attempted-dos; 15435 EXPLOIT IBM Director CIM server consumer name handling denial of service attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:trojan-activity; metadata: engine shared, soid 3|15451, service http; 15451 EXPLOIT possible Conficker.C HTTP traffic 1 mtc.sri.com/Conficker/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS gid:3; classtype:trojan-activity; metadata: engine shared, soid 3|15452, service http; 15452 EXPLOIT possible Conficker.C HTTP traffic 2 mtc.sri.com/Conficker/ 21206 attempted-user 2006-6063 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"|23|EXTM3U"; nocase; pcre:"/^[^\x0a]{501}/m"; metadata:service http; classtype:attempted-user; 15473 WEB-CLIENT Multiple media players M3U playlist file handling buffer overflow attempt 33059 attempted-admin 2008-5911 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"Proxy-Require"; fast_pattern:only; pcre:"/^Proxy-Require\s*\x3a\s*[^\x0a]{33}/mi"; classtype:attempted-admin; 15479 EXPLOIT RealNetworks Helix Server RTSP Request Proxy-Require header heap buffer overflow attempt 33059 attempted-admin 2008-5911 tcp $EXTERNAL_NET any -> $HOME_NET 554 flow:to_server,established; content:"SETUP"; depth:5; nocase; pcre:"/[A-Z0-9][^\x3f\x0a\x0d]{1023,}\x3f/iR"; classtype:attempted-admin; 15571 EXPLOIT RealNetworks Helix Server RTSP SETUP stack buffer overflow attempt web-application-activity 2000-0165 tcp $EXTERNAL_NET any -> $HOME_NET 8080 flow:to_server,established; content:"whois|3A|//"; nocase; metadata:service http; classtype:web-application-activity; 1558 WEB-MISC Delegate whois overflow attempt 10054 1707 web-application-activity 2000-1016 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/doc/packages"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1559 WEB-MISC /doc/packages access 11032 318 web-application-activity 1999-0678 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/doc/"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1560 WEB-MISC /doc/ access 665 web-application-activity 1999-1533 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/login.htm?password="; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1563 WEB-MISC login.htm attempt 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"snews|3A|"; nocase; pcre:"/^[^\n]*?(\x2E(com|bat|cmd|exe)((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5c)00)/Ri"; classtype:attempted-user; 15684 EXPLOIT Multiple product snews uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 35494 attempted-admin 2009-1628 tcp $EXTERNAL_NET any -> $HOME_NET [3985,3986] flow:to_server,established; content:"|16|?"; depth:2; byte_test:4,>,24,2,big; classtype:attempted-admin; 15708 EXPLOIT Unisys Business Information Server stack buffer overflow attempt protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,<,5,0,relative; classtype:protocol-command-decode; 15712 SCADA DNP3 declared length too small www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,&,64,1,relative; byte_test:1,&,64,13; classtype:protocol-command-decode; 15713 SCADA DNP3 device trouble www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,&,64,1,relative; byte_test:1,&,32,14; classtype:protocol-command-decode; 15714 SCADA DNP3 corrupt configuration www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,&,64,1,relative; byte_test:1,&,8,14; classtype:protocol-command-decode; 15715 SCADA DNP3 event buffer overflow error www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,&,64,1,relative; byte_test:1,&,4,14; classtype:protocol-command-decode; 15716 SCADA DNP3 parameter error www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,&,64,1,relative; byte_test:1,&,2,14; classtype:protocol-command-decode; 15717 SCADA DNP3 unknown object error www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,&,64,1,relative; byte_test:1,&,1,14; classtype:protocol-command-decode; 15718 SCADA DNP3 unsupported function code error www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:1,!&,64,1,relative; byte_test:1,&,15,3; classtype:protocol-command-decode; 15719 SCADA DNP3 link service not supported www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:2,>,65519,6,little; byte_test:2,<,65532,6,little; classtype:protocol-command-decode; 15720 SCADA DNP3 reserved source address www.dnp.org/About/Default.aspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 20000 flow:established,to_server; content:"|05|d"; depth:2; byte_test:2,>,65519,4,little; byte_test:2,<,65532,4,little; classtype:protocol-command-decode; 15721 SCADA DNP3 reserved destination address www.dnp.org/About/Default.aspx 1089 web-application-activity 2000-0289 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/slxweb.dll"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1588 WEB-MISC SalesLogix Eviewer access 2374 web-application-attack 2001-0224 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/empower?DB="; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1589 WEB-MISC musicat empower attempt 10609 29792 misc-activity 2008-2959 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"fCreateShellLink|28|"; nocase; metadata:service http; classtype:misc-activity; 15893 WEB-CLIENT fCreateShellLink function use - potential attack 11015 attempted-admin 2004-0826 tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 flow:to_server,established; content:"|01 00 01|"; depth:3; offset:2; byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:service ssl; classtype:attempted-admin; 15897 WEB-MISC SSLv1 Client_Hello Challenge Length overflow attempt attempted-user 2003-0605 tcp $EXTERNAL_NET any -> $HOME_NET 135 flow:established,to_server; content:"|05 00 06 01 00 00 00 00|11111111111111111111111111111111|00 00 00 00 00 00 00 00|"; fast_pattern:only; classtype:attempted-user; 15903 SHELLCODE x86 PoC CVE-2003-0605 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 1720 flow:established,to_server; content:"|00 00 00 01 80 88 19 08 16|aaaaaaaaaaaaaaaaaa"; classtype:attempted-admin; 15937 SPECIFIC-THREATS protos h323 buffer overflow www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html 23906 attempted-user 2007-2522 tcp $EXTERNAL_NET any -> $HOME_NET 12168 flow:to_server,established; content:"|96|8|9E 04|"; depth:8; offset:4; byte_test:4,>,83,0; content:!"|F6|v|D0|"; depth:24; offset:21; classtype:attempted-user; 15942 MISC CA Multiple Products Console Server login credentials handling overflow attempt 23906 attempted-user 2007-2522 tcp $EXTERNAL_NET any -> $HOME_NET 12168 flow:to_server,established; content:"|96|8|9E 04|"; depth:8; offset:4; byte_test:4,>,83,0; byte_test:1,&,192,20; classtype:attempted-user; 15943 MISC CA Multiple Products Console Server login credentials handling overflow attempt 12705 attempted-user 2005-0581 tcp $EXTERNAL_NET any -> $HOME_NET [10202,10203,10204] flow:to_server,established; content:"A0 "; depth:3; isdataat:50,relative; classtype:attempted-user; 15948 SPECIFIC-THREATS CA License Software Invalid Command overflow attempt 10243 attempted-user 2005-0643 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"testfile|F8 1B|U|05 00|P|B4 81 94 01 01|AAAA"; metadata:service http; classtype:attempted-user; 15949 SPECIFIC-THREATS McAfee LHA file handling overflow attempt misc-attack 2004-0444 udp $EXTERNAL_NET any -> $HOME_NET 1900 content:"|00 03 80| |00 01 00 01 00 00 00 00 01|V|01|"; byte_test:1, &, 128, 2; byte_test:2, >, 0, 4; byte_test:2, >, 0, 6; pcre:"/^.{12}(\x01.){20}/"; metadata:service dns; classtype:misc-attack; 15972 SPECIFIC-THREATS single byte encoded name response 10820 attempted-dos 2004-0699 udp $EXTERNAL_NET any -> $HOME_NET 500 flow:to_server; content:"|84 FF FF FF FE|"; fast_pattern:only; pcre:"/[\x04\x0c\x14\x16\x1c\x1e\x24\x34]\x84\xff{3}\xfe/"; classtype:attempted-dos; 15979 EXPLOIT Check Point VPN-1 ASN.1 Decoding heap overflow attempt 11385 attempted-dos 2004-0918 udp $EXTERNAL_NET any -> $HOME_NET 3401 flow:to_server; content:"0|84 FF FF FF|"; byte_test:1,>,0xf9,0,relative; metadata:service snmp; classtype:attempted-dos; 15989 EXPLOIT Squid ASN.1 header parsing denial of service attempt 19106 web-application-attack 2006-3853 tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:".jsp"; http_uri; pcre:"/^[^\x3b]*\x3b.*\x2ejsp/Ui"; metadata:service http; classtype:web-application-attack; 15990 WEB-MISC Multiple Vendor server file disclosure attempt 12643 attempted-user 2005-0533 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"NEKP2E|00 00 00|E|00 00 00 DB|+|D0 1D 00 00| |00 00 00|AAAA"; metadata:service http; classtype:attempted-user; 15992 SPECIFIC-THREATS Trend Micro Products Antivirus Library overflow attempt attempted-admin 2007-0465 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".pkg"; nocase; http_uri; pcre:"/GET\s+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2Epkg/smi"; metadata:service http; classtype:attempted-admin; 16002 WEB-CLIENT Apple Mac OS X installer package filename format string vulnerability attempted-admin 2007-0465 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".distz"; nocase; http_uri; pcre:"/GET\s+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2Edistz/smi"; metadata:service http; classtype:attempted-admin; 16003 WEB-CLIENT Apple Mac OS X installer package filename format string vulnerability attempted-admin 2007-0465 tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".mpkg"; nocase; http_uri; pcre:"/GET\s+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2Empkg/smi"; metadata:service http; classtype:attempted-admin; 16004 WEB-CLIENT Apple Mac OS X installer package filename format string vulnerability 10333 attempted-admin 2004-0444 udp $EXTERNAL_NET any -> $HOME_NET 137 flow:to_server; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata:service netbios-ns; classtype:attempted-admin; 16015 SPECIFIC-THREATS Norton Internet Security NBNS response processing stack overflow attempt 28689 attempted-admin 2008-1842 tcp $EXTERNAL_NET any -> $HOME_NET 7777 flow:established,to_server; isdataat:1000; byte_test:4,>,16384,0; content:"aaaaaaaaaaaaaaaaa"; classtype:attempted-admin; 16018 SPECIFIC-THREATS HP OpenView network node manager buffer overflow denial-of-service 2006-0995 tcp $EXTERNAL_NET any -> $HOME_NET 497 flow:to_server,established; content:"|87 00 00|"; depth:3; offset:1; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy connectivity-ips drop; classtype:denial-of-service; 16039 MISC EMC Dantz Retrospect Backup Agent denial of service attempt web-application-activity 1999-0897 tcp $EXTERNAL_NET any -> $HOME_NET 4080 flow:to_server,established; content:"/../../"; metadata:service http; classtype:web-application-activity; 1604 WEB-MISC iChat directory traversal attempt 6844 misc-attack 1999-1566 tcp $EXTERNAL_NET any -> $HOME_NET 6004 flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; classtype:misc-attack; 1605 DOS iParty DOS attempt 10111 26554 attempted-user 2007-6009 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.xpm; content:"static"; fast_pattern:only; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^static\s+(\w+\s+)??char\s*\x2A\s*\w+\s*\x5B\x5D\s*\x3D\s*\x7B.*\x22[^\x22]{200}/smiH"; classtype:attempted-user; 16062 MISC ACD Systems ACDSee Products XPM values section buffer overflow attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; classtype:trojan-activity; 16092 BACKDOOR win32.delf.jwh runtime detection www.emsisoft.com/en/malware/?Backdoor.Win32.Delf.jwh trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ftpgd.exe"; nocase; http_uri; classtype:trojan-activity; 16094 BACKDOOR trojan downloader exchan.gen variant runtime detection www.symantec.com/security_response/writeup.jsp?docid=2008-041717-0829-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/getfiles.php"; nocase; content:"id="; distance:0; nocase; content:"sid=anycrc"; distance:0; nocase; content:"Host|3A|"; nocase; http_header; content:"flz.anycracks.com"; nocase; http_header; classtype:trojan-activity; 16095 BACKDOOR td.exe runtime detection - getfile www.spywareremove.com/removetdexe.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/download.php"; nocase; content:"id="; distance:0; nocase; content:"Submit=Download+Crack+and+Keygen"; distance:0; nocase; classtype:trojan-activity; 16096 BACKDOOR td.exe runtime detection - download www.spywareremove.com/removetdexe.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"mode=gen"; nocase; http_uri; content:"gd="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"W10="; nocase; http_uri; content:"subid="; nocase; http_uri; content:"prov="; nocase; http_uri; content:"ua="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.zabeedly.com/search.php?q="; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2ezabeedly\x2ecom\x2fsearch\x2ephp\x3fq\x3d/smiH"; classtype:trojan-activity; 16097 BACKDOOR trojan win32.agent.vvm runtime detection www.kaspersky.co.jp/viruswatchlite?hour_offset=-4&search_virus=dropper&page=1 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/new.rar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"htfc8.cn"; nocase; http_header; classtype:trojan-activity; 16099 BACKDOOR trojan-dropper.win32.agent.wdv runtime detection www.spywaredetector.net/spyware_encyclopedia/Clicker.Agent.htm misc-activity udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 flow:to_server; content:"activate"; classtype:misc-activity; 161 BACKDOOR Matrix 2.0 Client connect trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/files/56/v2test7/file.exe"; http_uri; classtype:trojan-activity; 16100 BACKDOOR trojan-downloader.win32.delf.phh runtime detection - file.exe www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/lm/57329.exe"; http_uri; classtype:trojan-activity; 16101 BACKDOOR trojan-downloader.win32.delf.phh runtime detection - 57329.exe www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/sft/cvs/cache/sft_ver1.1454.0.exe"; http_uri; classtype:trojan-activity; 16102 BACKDOOR trojan-downloader.win32.delf.phh runtime detection - sft_ver1.1454.0.exe www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET any flow:to_server,established; flowbits:isset,LostDoor3_InitConn; content:"v1ct1m[|5C|AS/]"; depth:12; nocase; classtype:trojan-activity; 16104 BACKDOOR lost door 3.0 runtime detection - init trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/servlet/ajrotator/9105"; http_uri; content:"Host|3A|"; nocase; http_header; content:"servedby.topqualityads.net"; nocase; http_header; classtype:trojan-activity; 16105 BACKDOOR trojan.zlob runtime detection - topqualityads www.threatexpert.com/report.aspx?uid=8b81ce31-7f67-4880-8ec0-8359f96d6303 trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:from_server,established; flowbits:isset,SynRat2.1_initconn; content:"CON"; depth:3; nocase; pcre:"/^CON\w+\d+\xAE/smi"; classtype:trojan-activity; 16107 BACKDOOR synrat 2.1 pro runtime detection - init trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/templates/onestoponlineshop.net/images/css.css"; http_uri; content:"Host|3A|"; nocase; http_header; content:"onestoponlineshop.net"; nocase; http_header; classtype:trojan-activity; 16109 BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - onestoponlineshop www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pas/apstpldr.dll.html?affid=152174"; http_uri; content:"Host|3A|"; nocase; http_header; content:"childhe.com"; nocase; http_header; classtype:trojan-activity; 16110 BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - childhe www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/Setup_ver1.1427.0.exe"; http_uri; content:"Host|3A|"; nocase; http_header; content:"slpm12345.googlepages.com"; nocase; http_header; classtype:trojan-activity; 16111 BACKDOOR trojan-downloader.win32.zlob.wwv installtime detection www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/post.asp?"; nocase; http_uri; content:"HD="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"rebot1.whatthisdown.com"; nocase; http_header; classtype:trojan-activity; 16112 BACKDOOR trojan downloader.agent.vhb runtime detection - contact remote server www.virustotal.com/analisis/0326fdbb9ff5e2fa6fa847a095ec9e45 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/login.htm"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sf123.com"; nocase; http_header; classtype:trojan-activity; 16113 BACKDOOR trojan downloader.agent.vhb runtime detection - request login page www.virustotal.com/analisis/0326fdbb9ff5e2fa6fa847a095ec9e45 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/style/style1_21.css"; fast_pattern; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.fuck-portal.com"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2efuck\x2dportal\x2ecom/smiH"; classtype:misc-activity; 16114 SPYWARE-PUT Hijacker cramtoolbar runtime detection - hijack www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/n4.g?"; nocase; http_uri; content:"login=craxam"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"pv="; nocase; http_uri; content:"jv="; nocase; http_uri; content:"j="; nocase; http_uri; content:"srw="; nocase; http_uri; content:"srb="; nocase; http_uri; classtype:misc-activity; 16115 SPYWARE-PUT Hijacker cramtoolbar runtime detection - search www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/ip.php"; nocase; content:"Host|3A| ads.targetedbanner.biz"; distance:0; nocase; classtype:successful-recon-limited; 16116 SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server www.sophos.com/security/analyses/adware-and-puas/rightonadz.html successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.targetedbanner.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2etargetedbanner\x2ebiz/smiH"; classtype:successful-recon-limited; 16117 SPYWARE-PUT Trackware rightonadz.biz adrotator runtime detection - ads www.sophos.com/security/analyses/adware-and-puas/rightonadz.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.winreanimator.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ewinreanimator\x2ecom/smiH"; classtype:misc-activity; 16118 SPYWARE-PUT Adware winreanimator runtime detection - register request www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/WinReanimator/daily.cvd"; fast_pattern; nocase; http_uri; classtype:misc-activity; 16119 SPYWARE-PUT Adware winreanimator runtime detection - daily update www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/data.aspx?"; nocase; http_uri; content:"pn=sixsigmaToolbar"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Asynchronous"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"CLASS"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Asynchronous\s+WinInet\s+CLASS/smiH"; classtype:successful-recon-limited; 16120 SPYWARE-PUT Trackware 6sq toolbar runtime detection www.spycheck.es/genera.php?processfile=6sqtoolbar.dll&dir=otros&pag=165 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dp/"; nocase; http_uri; content:"x="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.weatherstudio.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*as\x2eweatherstudio\x2ecom/smiH"; classtype:misc-activity; 16121 SPYWARE-PUT Hijacker weatherstudio runtime detection vil.nai.com/vil/content/v_137487.htm misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy2/"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.anti-virusxp2008.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eanti\x2dvirusxp2008\x2enet/smiH"; classtype:misc-activity; 16122 SPYWARE-PUT rogue antivirus xp 2008 runtime detection - buy www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/updates/check.html"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.anti-virusxp2008.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eanti\x2dvirusxp2008\x2enet/smiH"; classtype:misc-activity; 16123 SPYWARE-PUT rogue antivirus xp 2008 runtime detection - update www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/keyword/urlRedirect.cfm?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"a=SEARCHFST"; nocase; http_uri; content:"k="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.metadirect.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2emetadirect\x2enet/smiH"; classtype:misc-activity; 16124 SPYWARE-PUT downloader trojan.nsis.agent.s runtime detection www.pctools.com/mrc/infections/id/Adware.Metadirect_hijacker/ successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 21 flow:to_server,established; content:"RETR k3ylogger.txt"; fast_pattern:only; classtype:successful-recon-limited; 16125 SPYWARE-PUT Keylogger spyyahoo v2.2 runtime detection www.megasecurity.org/trojans/s/spyyahoo/Spyyahoo2.2.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UVRM"; nocase; http_uri; content:"nid=3P_UVRM"; nocase; http_uri; classtype:misc-activity; 16126 SPYWARE-PUT Trickler virusremover 2008 runtime detection www.spywareremove.com/removeVirusRemover2008.html misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"superiorads.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*superiorads\x2ebiz/smiH"; classtype:misc-activity; 16127 SPYWARE-PUT Adware superiorads runtime detection www.precisesecurity.com/threats/adwaresuperiorads/ successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ahmad.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.kamyab-hack.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ekamyab-hack\x2ecom/smiH"; classtype:successful-recon-limited; 16129 SPYWARE-PUT Keylogger kamyab Keylogger v.3 runtime detection www.megasecurity.org/trojans/k/keylogger/Kamyabkeylogger3.0.html 380 web-application-attack 1999-0148 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/handler"; http_uri; content:"|7C|"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1613 WEB-MISC handler attempt 10100 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"POST //"; nocase; content:"Host|3A|"; nocase; http_header; content:"www.fakemailer.info"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2efakemailer\x2einfo/smiH"; classtype:successful-recon-limited; 16130 SPYWARE-PUT Keylogger lord spy pro 1.4 runtime detection successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.gooochi.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2egooochi\x2ebiz/smiH"; classtype:successful-recon-limited; 16131 SPYWARE-PUT Trackware adclicker trojan zlob.dnz runtime detection - ads www.threatexpert.com/report.aspx?uid=6b4f9be8-f080-4aa7-bb1a-c25231426315 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/success.php?"; nocase; http_uri; content:"itemname="; http_uri; content:"User-Agent|3A| Nimo Software HTTP Retriever"; fast_pattern:only; nocase; classtype:successful-recon-limited; 16132 SPYWARE-PUT Trackware owlforce runtime detection - remote server #1 www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113210 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/status.php?"; nocase; http_uri; content:"searchurl="; http_uri; content:"version="; http_uri; content:"act="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Nimo Software HTTP Retriever"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Nimo\x20Software\x20HTTP\x20Retriever/smiH"; classtype:successful-recon-limited; 16133 SPYWARE-PUT Trackware owlforce runtime detection - remote server #2 www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113210 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/api.php?"; nocase; http_uri; content:"data="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cmserv.org"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cmserv\x2eorg/smiH"; classtype:misc-activity; 16134 SPYWARE-PUT Adware spyware guard 2008 runtime detection - contacts remote server www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141606 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"track_id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"gosg2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*gosg2008\x2ecom/smiH"; classtype:misc-activity; 16135 SPYWARE-PUT Adware spyware guard 2008 runtime detection - purchase page www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141606 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"wmid="; nocase; http_uri; content:"skey="; nocase; http_uri; content:"Host|3A| www.xpas2009.com"; fast_pattern; nocase; http_header; classtype:misc-activity; 16136 SPYWARE-PUT Hijacker xp antispyware 2009 runtime detection - pre-sale webpage www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141780 successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"Report"; nocase; content:"@"; nocase; content:"name=cheatmonitorR_SCREEN.DATETIME."; fast_pattern:only; pcre:"/Report\x20\x40.*name\x3dcheatmonitorR\x5fSCREEN\x2eDATETIME/smi"; classtype:successful-recon-limited; 16137 SPYWARE-PUT Keylogger cheat monitor runtime detection www.symantec.com/security_response/writeup.jsp?docid=2008-090408-5607-99&tabid=2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"sendmail.php?"; nocase; http_uri; content:"mail="; nocase; http_uri; content:"subject="; nocase; http_uri; content:"Odesa mpsteal form"; fast_pattern; nocase; http_uri; classtype:misc-activity; 16138 SPYWARE-PUT Hacker-Tool 0desa msn pass stealer 8.5 runtime detection misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?"; nocase; http_uri; content:"advid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"scanner.vav-x-scanner.com"; nocase; http_header; pcre:"/\x2F\d+\x2F\x3Fadvid\x3D/smi"; pcre:"/Host\x3a[^\r\n]*scanner\x2evav\x2dx\x2dscanner\x2ecom/smiH"; classtype:misc-activity; 16139 SPYWARE-PUT downloader_trojan.gen2 runtime detection - scanner page www.threatexpert.com/report.aspx?uid=6a5f4829-667f-4f53-876d-ca74fe4cfcf0 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"kos-main.jar"; nocase; http_uri; content:!"Host|3A| www.kaspersky.com|0D 0A|"; nocase; http_header; metadata:service http; classtype:trojan-activity; 16141 SPECIFIC-THREATS Kaspersky Online Scanner trojaned Dll download attempt intevydis.com/blog/?p=77 web-application-attack 2000-0832 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/htgrep"; http_uri; content:"hdr=/"; metadata:service http; classtype:web-application-attack; 1615 WEB-MISC htgrep attempt 10495 attempted-user 2009-2500 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16153; 16153 WEB-CLIENT malformed WMF meta escape record memory corruption www.microsoft.com/technet/security/Bulletin/MS09-062.mspx attempted-user 2009-2504 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,exe.download; metadata: engine shared, soid 3|16154; 16154 WEB-CLIENT GDI+ .NET image property parsing memory corruption www.microsoft.com/technet/security/Bulletin/MS09-062.mspx misc-activity udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 flow:to_server; content:"logged in"; classtype:misc-activity; 162 BACKDOOR Matrix 2.0 Server access attempted-dos tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-dos; flowbits:isset,http.mp4; metadata: engine shared, soid 3|16224; 16224 WEB-CLIENT TRUFFLEHUNTER SFVRT-1004 attack attempt attempted-admin 2009-2514 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|16231; 16231 WEB-CLIENT Windows kernel-mode drivers core font parsing integer overflow attempt www.microsoft.com/technet/security/bulletin/MS09-065.mspx trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/adv/058/adload.php"; http_uri; content:"Host|3A| all1count.net"; nocase; classtype:trojan-activity; 16242 BACKDOOR downloader-ash.gen.b runtime detection - adload www.threatexpert.com/report.aspx?md5=bffe465b5949e78821ffb76b0ed25bb4 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/xpbuy/"; nocase; http_uri; content:"Host|3A| xp-police.com"; nocase; classtype:trojan-activity; 16244 BACKDOOR rogue software xp police antivirus runtime detection - purchase www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/controller.php"; nocase; http_uri; content:"action="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"rnd="; nocase; http_uri; classtype:trojan-activity; 16245 BACKDOOR rogue software xp police antivirus install-timedetection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/purchase?"; nocase; http_uri; content:"r="; nocase; http_uri; content:"Host|3A| spywprotect.com"; nocase; classtype:trojan-activity; 16246 BACKDOOR rogue software spyware protect 2009 runtime detection - purchase request www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/block.php?"; nocase; http_uri; content:"r=19.0"; nocase; http_uri; content:"Host|3A| browser-security.microsoft.com"; nocase; classtype:trojan-activity; 16247 BACKDOOR rogue software spyware protect 2009 runtime detection - block www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stat.php"; http_uri; content:"func="; nocase; http_uri; content:"Host|3A| int.ms-asreport1.com"; nocase; classtype:trojan-activity; 16248 BACKDOOR rogue software ms antispyware 2009 runtime detection - start www.ca.com/securityadvisor/pest/pest.aspx?id=453146855 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pay/"; http_uri; content:"Host|3A| sales.buy-msantispyware2009.com"; nocase; classtype:trojan-activity; 16249 BACKDOOR rogue software ms antispyware 2009 runtime detection - pay www.ca.com/securityadvisor/pest/pest.aspx?id=453146855 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pp/?id="; nocase; http_uri; content:"Host|3A| billingpayment.net"; nocase; classtype:trojan-activity; 16250 BACKDOOR rogue software win pc defender runtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/installed.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A| win-pc-defender.com"; nocase; classtype:trojan-activity; 16251 BACKDOOR rogue software win pc defender installtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/pay/"; http_uri; content:"Host|3A| sales.proantispyware-2009-buy.com"; nocase; classtype:trojan-activity; 16252 BACKDOOR rogue software pro antispyware 2009 runtime detection - purchase www.ca.com/securityadvisor/pest/pest.aspx?id=453144054 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cards/"; http_uri; content:"affid="; http_uri; content:"Host|3A| electronicbillinghost.com"; nocase; classtype:trojan-activity; 16253 BACKDOOR rogue software system security 2009 runtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339 trojan-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; flowbits:isset,systemsecurity2009; content:"location|3A| in.php?url="; nocase; http_header; classtype:trojan-activity; 16255 BACKDOOR rogue software system security 2009 installtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/c.dat"; http_uri; content:"Host|3A| guardlab2009.com"; nocase; classtype:trojan-activity; 16256 BACKDOOR rogue software coreguard antivirus 2009 runtime detection www.ca.com/us/securityadvisor/pest/pest.aspx?id=453157038 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upd1.php"; http_uri; content:"dbbasediv="; http_uri; content:"Host|3A| download.pdefender2009.com"; nocase; classtype:trojan-activity; 16257 BACKDOOR rogue software perfect defender 2009 runtime detection - update www.ca.com/securityadvisor/pest/pest.aspx?id=453144750 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.php"; http_uri; content:"Host|3A| www.pdefender2009.com"; nocase; classtype:trojan-activity; 16258 BACKDOOR rogue software perfect defender 2009 runtime detection - purchase www.ca.com/securityadvisor/pest/pest.aspx?id=453144750 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/join.html"; http_uri; content:"Host|3A| www.antivirus-doktor.com"; nocase; classtype:trojan-activity; 16259 BACKDOOR rogue software antivirusdoktor2009 runtime detection www.ca.com/securityadvisor/pest/pest.aspx?id=453164387 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/firstrun.php"; nocase; http_uri; content:"product=XPA"; nocase; http_uri; content:"aff="; nocase; http_uri; content:"Host|3A| liveresponsesite.com"; nocase; classtype:trojan-activity; 16260 BACKDOOR rogue software xp antivirus protection runtime detection - installation www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/order_xp.php"; nocase; http_uri; content:"ver="; http_uri; content:"Host|3A| liveresponsesite.com"; nocase; classtype:trojan-activity; 16261 BACKDOOR rogue software xp antivirus protection runtime detection - runtime www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/purchase.htm?aid"; http_uri; content:"Host|3A| www.xp-shield.cn"; nocase; classtype:trojan-activity; 16262 BACKDOOR rogue software xp-shield runtime detection www.ca.com/securityadvisor/pest/pest.aspx?id=453133950 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/install/?aid"; http_uri; content:"Host|3A| www.xp-shield.cn"; nocase; classtype:trojan-activity; 16263 BACKDOOR rogue software xp-shield runtime detection - installation www.ca.com/securityadvisor/pest/pest.aspx?id=453133950 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/007AS/update/Update.ini"; http_uri; content:"Host|3A| www.webslt.com"; nocase; classtype:trojan-activity; 16264 BACKDOOR rogue software 007 anti-spyware runtime detection - update www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/register"; http_uri; content:"Host|3A| www.007antispyware.com"; nocase; classtype:trojan-activity; 16265 BACKDOOR rogue software 007 anti-spyware runtime detection - register www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.html"; http_uri; content:"Host|3A| pc-antispy2010.com"; nocase; classtype:trojan-activity; 16266 BACKDOOR rogue software pc antispyware 2010 runtime detection - buy www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/files"; http_uri; content:"Host|3A| gomafobianiotas.com"; nocase; classtype:trojan-activity; 16267 BACKDOOR rogue software pc antispyware 2010 runtime detection - files www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tdss/"; http_uri; content:"Host|3A| yournewsblog.net"; nocase; classtype:trojan-activity; 16268 BACKDOOR trojan.tdss.1.gen install-time detection - yournewsblog.net www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/botmon/readdata/"; http_uri; content:"Host|3A| findzproportal1.com"; nocase; classtype:trojan-activity; 16269 BACKDOOR trojan.tdss.1.gen install-time detection - findzproportal1.com www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627 trojan-activity tcp $EXTERNAL_NET 1503 -> $HOME_NET any flow:from_server,established; flowbits:isset,SRat_1.6; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; fast_pattern; classtype:trojan-activity; 16271 BACKDOOR srat 1.6 runtime detection trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/includes/editor/"; http_uri; content:"Host|3A| www.lordhack.com"; nocase; classtype:trojan-activity; 16272 BACKDOOR trojan-dropper.irc.tkb runtime detection - lordhack www.threatexpert.com/report.aspx?md5=e77f4df496a182bf5d16172cda47b91f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/images/dxcpm"; http_uri; content:"Host|3A| www.dxcpm.com"; nocase; classtype:trojan-activity; 16273 BACKDOOR trojan-dropper.irc.tkb runtime detection - dxcpm www.threatexpert.com/report.aspx?md5=e77f4df496a182bf5d16172cda47b91f misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/list.htm?"; http_uri; content:"frandom="; http_uri; content:"Host|3A| vip.47tu.com"; fast_pattern:only; classtype:misc-activity; 16274 SPYWARE-PUT Trickler trojan-spy.win32.pophot runtime detection - connect to server www.ca.com/us/securityadvisor/pest/pest.aspx?id=453142055 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bawang/"; http_uri; content:".exe?"; http_uri; content:"frandom="; http_uri; classtype:misc-activity; 16275 SPYWARE-PUT Trickler trojan-spy.win32.pophot runtime detection - download files www.ca.com/us/securityadvisor/pest/pest.aspx?id=453142055 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.html?"; http_uri; content:"wmid="; http_uri; content:"l="; http_uri; content:"s="; http_uri; content:"skey="; http_uri; content:"Host|3A| www.av-pro-2009.com"; fast_pattern:only; classtype:misc-activity; 16276 SPYWARE-PUT Trickler win32-fakealert.kl runtime detection www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/binary/AntivirusPro2009/Binaries1.cab"; http_uri; content:"Host|3A| down-soft-index.com"; nocase; classtype:misc-activity; 16277 SPYWARE-PUT Trickler win32-fakealert.kl installtime detection - downloads malicious files www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2 misc-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/update_inst.php?"; http_uri; content:"wmid="; http_uri; content:"subid="; http_uri; content:"pid="; http_uri; content:"lid="; http_uri; content:"hs="; http_uri; content:"Host|3A| do-monster-scan.com"; fast_pattern:only; classtype:misc-activity; 16278 SPYWARE-PUT Trickler win32-fakealert.kl installime detection - updates remote server www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/buy.php?"; http_uri; content:"frame="; http_uri; content:"advid="; http_uri; content:"Host|3A| winavsentry.com"; nocase; classtype:trojan-activity; 16279 BACKDOOR rogue-software windows antivirus 2008 runtime detection - pre-sale page www.spywareremove.com/removeWindowsAntivirus2008.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/purchase/secure.php?"; http_uri; content:"frame="; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"orderid1="; nocase; http_uri; content:"orderid2="; nocase; http_uri; content:"disc="; nocase; http_uri; content:"product_name=Windows+Antivirus+2008"; nocase; http_uri; classtype:trojan-activity; 16280 BACKDOOR rogue-software windows antivirus 2008 runtime detection - registration and payment page www.spywareremove.com/removeWindowsAntivirus2008.html 28602 attempted-admin 2008-0311 tcp $EXTERNAL_NET any -> $HOME_NET 3057 flow:established,to_server; content:"GET AAAAAAAAAAAAAAAAAAAAA"; depth:25; classtype:attempted-admin; 16283 WEB-MISC Borland StarTeam Multicast Service buffer overflow attempt misc-activity tcp $HOME_NET 5714 -> $EXTERNAL_NET any flow:stateless; flags:SA,12; content:"|B4 B4|"; classtype:misc-activity; 163 BACKDOOR WinCrash 1.0 Server Active 35102 attempted-admin 2009-2643 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"JBIG2Decode"; nocase; content:"stream"; distance:0; pcre:"/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/smi"; byte_test:1, !&, 63, 4, relative; byte_test:4, >, 2147483647, 17, relative; metadata:service http; classtype:attempted-admin; 16336 WEB-CLIENT Blackberry Server PDF JBIG2 numnewsyms remote code execution attempt www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327 36015 attempted-dos 2009-2726 tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 flow:to_server,established; content:"CSeq|3A|"; nocase; isdataat:25,relative; content:!"|0A|"; within:25; classtype:attempted-dos; 16351 VOIP-SIP CSeq buffer overflow attempt www.ietf.org/rfc/rfc3261.txt trojan-activity tcp $EXTERNAL_NET any -> $HOME_NET any flow:to_server,established; flowbits:isset,BugsPrey_detection; content:"GHOST,"; depth:6; nocase; classtype:trojan-activity; 16358 BACKDOOR bugsprey runtime detection - initial connection www.econsultant.com/spyware-database/b/bugsprey-a.html 791 attempted-admin 1999-1511 tcp $EXTERNAL_NET any -> $HOME_NET 32000 flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; classtype:attempted-admin; 1636 MISC Xtramail Username overflow attempt 10323 attempted-admin tcp $EXTERNAL_NET any -> $HOME_NET 389 flow:to_server,established; content:"|82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82|"; fast_pattern:only; classtype:attempted-admin; 16374 EXPLOIT Oracle Internet Directory heap corruption attempt 27666 attempted-user 2008-0077 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:established,to_client; content:"ANIMATEMOTION"; nocase; pcre:"/<[A-Z_]+\s*\x3A\s*ANIMATEMOTION[^>]+?id=(?P<q>\x22|\x27|)(?P<n>[A-Z][A-Z\d\x2D\x2E\x3A\x5F]*)(?P=q).*?(?P=n)\./Osmi"; classtype:attempted-user; 16382 WEB-CLIENT HTML+TIME animatemotion property memory corruption attempt www.microsoft.com/technet/security/bulletin/ms08-010.mspx 3010 denial-of-service 2001-1143 tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 flow:to_server,established; dsize:1; classtype:denial-of-service; 1641 DOS DB2 dos attempt 10871 attempted-user 2010-0243 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; flowbits:isset,http.xls; metadata: engine shared, soid 3|16416; 16416 WEB-CLIENT Malformed XLS MSODrawing Record www.microsoft.com/technet/security/bulletin/MS10-003.mspx successful-recon-limited tcp $HOME_NET any -> $EXTERNAL_NET 25 flow:to_server,established; content:"From|3A|"; nocase; content:"EgySpy"; distance:0; nocase; content:"Victim"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*EgySpy\s+Victim/smi"; classtype:successful-recon-limited; 16455 SPYWARE-PUT Keylogger egyspy keylogger 1.13 runtime detection www.sunbeltsecurity.com/threatdisplay.aspx?name=EgySpy&tid=48410&cs=6ECDDEC7712C7CE701773045B519AE38 trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/angantivirus-2009.com/"; http_uri; content:"Host|3A| setup.angantivirus2009.info"; fast_pattern:only; classtype:trojan-activity; 16456 SPYWARE-PUT Rogue-Software ang antivirus 09 runtime detection en.wikipedia.org/wiki/ANG_Antivirus trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/40E800143030303030303030303030"; http_uri; content:"Host|3A| mxe06vc528b.com"; nocase; classtype:trojan-activity; 16457 BACKDOOR Trojan.Downloader.Win32.Cutwail.AI runtime detection www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Cutwail.AI attempted-user 2010-0490 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16506; 16506 WEB-CLIENT IE innerHTML against incomplete element heap corruption attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-user 2010-0492 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16508; 16508 WEB-CLIENT IE8 non-IE8 compatibility mode htmltime remote code execution attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx attempted-user 2010-0807 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any gid:3; classtype:attempted-user; metadata: engine shared, soid 3|16512, service http; 16512 EXPLOIT IE malformed span/div html document heap corruption attempt www.microsoft.com/technet/security/bulletin/MS10-018.mspx misc-activity tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,lmageshack.request; content:"lmageshack"; nocase; metadata:service http; classtype:misc-activity; 16557 SPECIFIC-THREATS 2imaegshack/lmageshack IM worm inbound communication attempt anubis.iseclab.org/?action=result&task_id=1d4d78a7507bb63143d45d2a5898fe3bf&format=html 39564 attempted-admin 2010-1318 tcp $EXTERNAL_NET any -> $HOME_NET 705 flow:established,to_server; flags:*P; dsize:<20; detection_filter:track by_src, count 2, seconds 2; metadata:service snmp; classtype:attempted-admin; 16576 EXPLOIT RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt labs.idefense.com/intelligence/vulnerabilities/display.php?id=867 33047 attempted-user 2009-0323 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"<bdo"; nocase; pcre:"/^.*?dir\s*=\s*(\x22[^\x22]{500}|\x27[^\x27]{500}|[^\s\>]{500})/isR"; metadata:service http; classtype:attempted-user; 16601 WEB-CLIENT Amaya web editor XML and HTML Parser Buffer overflow attempt web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:" .pl"; nocase; http_uri; pcre:"/\/[^\r\n]*\x20.pl/Ui"; metadata:service http; classtype:web-application-attack; 1663 WEB-MISC *%20.pl access 11007 www.securityfocus.com/archive/1/149482 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/mkplog.exe"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1664 WEB-MISC mkplog.exe access 40097 denial-of-service 2010-1642 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:established, to_server; content:"|FF|SMB|73|"; fast_pattern; byte_test:2,>,0x8000,42,relative,little; metadata:service netbios-ssn; classtype:denial-of-service; 16684 DOS Samba smbd Session Setup AndX security blob length dos attempt samba.org/samba/history/samba-3.4.8.html attempted-admin 2010-0743 tcp any any -> $HOME_NET 1024: flow:established, to_server; content:"|00 01 00 08|"; content:"|00 00 00 20|"; within:4; distance:8; pcre:"/%([0-9]+$)?([-+ #0-9]+)?([0-9]+)?\.?([0-9]+)?[hlL]?[cdieEfgGosuxXpn]/Rims"; classtype:attempted-admin; 16688 EXPLOIT iscsi target format string code execution attempt osvdb.org/show/osvdb/63418 21337 attempted-user 2006-6199 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.plf; content:"Content-Type: application/octet-stream"; http_header; file_data; pcre:"/^[^\s]{256}/R"; classtype:attempted-user; 16692 WEB-CLIENT BlazeVideo BlazeDVD PLF playlist file name buffer overflow attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/home/www"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1671 WEB-MISC /home/www access 11032 system-call-detect tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; 1673 ORACLE EXECUTE_SYSTEM attempt attempted-user tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; isdataat:92,relative; content:!"|00|"; within:92; content:"|FD A4 00 10|"; within:4; distance:92; metadata:service http; classtype:attempted-user; 16737 SPECIFIC-THREATS Xenorate Media Player XPL file handling overflow attempt - 1 osvdb.org/show/osvdb/57162 attempted-user 2009-2650 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.m3u.download; file_data; content:"http|3A 2F 2F|"; within:7; pcre:"/^[^\s]{256}/R"; metadata:service http; classtype:attempted-user; 16739 WEB-CLIENT MultiMedia Jukebox multiple playlist file handling overflow attempt osvdb.org/show/osvdb/55924 protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; 1674 ORACLE connect_data remote version detection attempt 32543 attempted-user 2008-5405 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; flowbits:isset,http.rdp; file_data; pcre:"/^[a-z0-9]{500}/iR"; metadata:service http; classtype:attempted-user; 16743 WEB-CLIENT Cain & Abel Remote Desktop Protocol file handling buffer overflow attempt suspicious-login tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; 1675 ORACLE misparsed login response protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; 1676 ORACLE select union attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; 1677 ORACLE select like '%' attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; 1678 ORACLE select like '%' attempt backslash escaped protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; 1679 ORACLE describe attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; 1680 ORACLE all_constraints access trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/jl/jloader.pl"; nocase; http_uri; classtype:trojan-activity; 16804 BACKDOOR Backdoor.Win32.Qakbot.E - initial load www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/u/updates.cb"; nocase; http_uri; pcre:"/^Host\x3A[^\r\n]+((up\d+)|(adserv))/Hmi"; classtype:trojan-activity; 16805 BACKDOOR Backdoor.Win32.Qakbot.E config check www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cgi-bin/clientinfo3.pl"; nocase; http_uri; classtype:trojan-activity; 16808 BACKDOOR Backdoor.Win32.Qakbot.E - register client www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"borders.php"; nocase; http_uri; content:"data="; nocase; http_client_body; metadata:impact_flag red, service http; classtype:trojan-activity; 16809 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16809.html protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; 1681 ORACLE all_views access trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/werber/"; nocase; http_uri; content:"217.gif"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16810 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16810.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/perce/"; nocase; http_uri; content:"qwerce.gif"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16811 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16811.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/vscript/vercheck.psc?pcrc="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16812 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16812.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".aspx?ver=2.0."; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16813 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16813.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/cursors/"; nocase; http_uri; content:"cursor_upp.gif"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16814 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16814.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/player/blog.updata"; nocase; http_uri; content:"os=Windows"; nocase; http_uri; content:"&mid="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16815 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16815.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ue000/38sw.e?uid="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16816 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16816.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ll.php?v=3"; nocase; http_uri; content:"wm_id=acc00"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16817 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16817.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/css/pragma/knock.php"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16818 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16818.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ad_type.php?a="; nocase; http_uri; pcre:"/ad_type.php?a=[A-Z\d]{13}/Ui"; metadata:impact_flag red, service http; classtype:trojan-activity; 16819 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16819.html protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; 1682 ORACLE all_source access trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ini=v22Mm2exH4anDDE0u1AXRrVqb7"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16820 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16820.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"kx.php"; nocase; http_uri; content:"SIY1|5C|Y)_XYEFDK7M76MKIIL<OH"; nocase; http_client_body; metadata:impact_flag red, service http; classtype:trojan-activity; 16821 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16821.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/clcount/ip.asp?action=install&mac="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16822 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16822.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/piao1.asp?AC="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16823 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16823.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/bar/v16-106/c1/jsc/fmr.js?c="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16824 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16824.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"adv=adv"; nocase; http_uri; content:"code1="; nocase; http_uri; content:"code2=uri:id="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16825 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16825.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/p6.asp?MAC="; nocase; http_uri; content:"Publicer="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16826 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16826.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/code/pop_data3.asp?f=48843&t=a"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16827 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16827.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/indeh.php"; nocase; http_uri; content:"&v=5&z=com&s=f01"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16828 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16828.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/web/counter/install.check.php"; nocase; http_uri; content:"in_mac="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16829 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16829.html protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; 1683 ORACLE all_tables access trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/socks.php?name="; nocase; http_uri; content:"port="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16830 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16830.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/count/inst.php?ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16831 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16831.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/LockIeHome/?mac="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16832 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16832.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ping.txt?u="; nocase; http_uri; content:"pg="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16833 BOTNET-CNC known command and control channel traffic labs.snort.org/docs/16833.html protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; 1684 ORACLE all_tab_columns access protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; 1685 ORACLE all_tab_privs access protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; 1686 ORACLE dba_tablespace access protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; 1688 ORACLE user_tablespace access protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; 1689 ORACLE sys.all_users access protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; 1691 ORACLE ALTER USER attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"ucsp0416.exe?t="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16911 BLACKLIST URI request for known malicious URI - ucsp0416.exe?t= labs.snort.org/docs/16911.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"net/cfg2.bin"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16912 BLACKLIST URI request for known malicious URI - net/cfg2.bin labs.snort.org/docs/16912.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:".bin?ucsp"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16914 BLACKLIST URI request for known malicious URI - .bin?ucsp labs.snort.org/docs/16914.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/MNG/Download/?File=AZF"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16915 BLACKLIST URI request for known malicious URI - /MNG/Download/?File=AZF labs.snort.org/docs/16915.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/jarun/jezerce"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16916 BLACKLIST URI request for known malicious URI - /jarun/jezerce labs.snort.org/docs/16916.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ekaterina/velika"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16917 BLACKLIST URI request for known malicious URI - /ekaterina/velika labs.snort.org/docs/16917.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ultimate/fight"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16918 BLACKLIST URI request for known malicious URI - /ultimate/fight labs.snort.org/docs/16918.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tmp/pm.exe?t="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16919 BLACKLIST URI request for known malicious URI - /tmp/pm.exe?t= labs.snort.org/docs/16919.html protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; 1692 ORACLE drop table attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/DownLoadFile/BaePo/ver"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16920 BLACKLIST URI request for known malicious URI - /DownLoadFile/BaePo/ver labs.snort.org/docs/16920.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/s1/launcher/update/Update/data/"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16921 BLACKLIST URI request for known malicious URI - /s1/launcher/update/Update/data/ labs.snort.org/docs/16921.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16928 BLACKLIST URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz labs.snort.org/docs/16928.html protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; 1693 ORACLE create table attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"count.asp?mac="; nocase; http_uri; content:"os=Windows"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16930 BLACKLIST URI request for known malicious URI - count.asp?mac= labs.snort.org/docs/16930.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/qqnongchang/qqkj."; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 16932 BLACKLIST URI request for known malicious URI - /qqnongchang/qqkj. labs.snort.org/docs/16932.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/root/9"; nocase; http_uri; content:".rar"; nocase; http_uri; pcre:"/\/root\/9\d\d\/frt\d\.rar/Ui"; metadata:impact_flag red, service http; classtype:trojan-activity; 16933 BLACKLIST URI request for known malicious URI - /root/9 frt.rar labs.snort.org/docs/16933.html policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pku-edp.cn"; nocase; classtype:policy-violation; 16934 PHISHING-SPAM pku-edp.cn known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"sjtu-edp.cn"; nocase; classtype:policy-violation; 16935 PHISHING-SPAM sjtu-edp.cn known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"xoposuhop.cn"; nocase; classtype:policy-violation; 16936 PHISHING-SPAM xoposuhop.cn xoposuhop.cn known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"bestdrug-store.com"; nocase; classtype:policy-violation; 16937 PHISHING-SPAM bestdrug-store.com known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pharmrik66y.ru"; nocase; classtype:policy-violation; 16938 PHISHING-SPAM pharmrik66y.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"refillleonardo59y.ru"; nocase; classtype:policy-violation; 16939 PHISHING-SPAM refillleonardo59y.ru known spam email attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; 1694 ORACLE alter table attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"medfreddie55a.ru"; nocase; classtype:policy-violation; 16940 PHISHING-SPAM medfreddie55a.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugshershel38w.ru"; nocase; classtype:policy-violation; 16941 PHISHING-SPAM drugshershel38w.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugshayyim77n.ru"; nocase; classtype:policy-violation; 16942 PHISHING-SPAM drugshayyim77n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"erectguthry99c.ru"; nocase; classtype:policy-violation; 16943 PHISHING-SPAM erectguthry99c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pilldory92n.ru"; nocase; classtype:policy-violation; 16944 PHISHING-SPAM pilldory92n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabwinn77t.ru"; nocase; classtype:policy-violation; 16945 PHISHING-SPAM tabwinn77t.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pillrenault15j.ru"; nocase; classtype:policy-violation; 16946 PHISHING-SPAM pillrenault15j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pharmrolland95h.ru"; nocase; classtype:policy-violation; 16947 PHISHING-SPAM pharmrolland95h.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"onlineheindrick60i.ru"; nocase; classtype:policy-violation; 16948 PHISHING-SPAM onlineheindrick60i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"erectnormie71a.ru"; nocase; classtype:policy-violation; 16949 PHISHING-SPAM erectnormie71a.ru known spam email attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; 1695 ORACLE truncate table attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugsjudd45f.ru"; nocase; classtype:policy-violation; 16951 PHISHING-SPAM drugsjudd45f.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pharmharman55y.ru"; nocase; classtype:policy-violation; 16952 PHISHING-SPAM pharmharman55y.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"medgaultiero11e.ru"; nocase; classtype:policy-violation; 16953 PHISHING-SPAM medgaultiero11e.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pillgaylor21n.ru"; nocase; classtype:policy-violation; 16954 PHISHING-SPAM pillgaylor21n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugspenn84f.ru"; nocase; classtype:policy-violation; 16955 PHISHING-SPAM drugspenn84f.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"medebeneser68c.ru"; nocase; classtype:policy-violation; 16956 PHISHING-SPAM medebeneser68c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabmario94r.ru"; nocase; classtype:policy-violation; 16957 PHISHING-SPAM tabmario94r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tablennard88q.ru"; nocase; classtype:policy-violation; 16958 PHISHING-SPAM tablennard88q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"medforster79j.ru"; nocase; classtype:policy-violation; 16959 PHISHING-SPAM medforster79j.ru known spam email attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; 1696 ORACLE create database attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"erectvincent21v.ru"; nocase; classtype:policy-violation; 16960 PHISHING-SPAM erectvincent21v.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugsdemott21o.ru"; nocase; classtype:policy-violation; 16961 PHISHING-SPAM drugsdemott21o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"onlinelovell30p.ru"; nocase; classtype:policy-violation; 16962 PHISHING-SPAM onlinelovell30p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"erecttaylor49i.ru"; nocase; classtype:policy-violation; 16963 PHISHING-SPAM erecttaylor49i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"smellexact.ru"; nocase; classtype:policy-violation; 16964 PHISHING-SPAM smellexact.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"givehome.ru"; nocase; classtype:policy-violation; 16965 PHISHING-SPAM givehome.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"thingpath.ru"; nocase; classtype:policy-violation; 16966 PHISHING-SPAM thingpath.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"wereif.ru"; nocase; classtype:policy-violation; 16967 PHISHING-SPAM wereif.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"bassmax.ru"; nocase; classtype:policy-violation; 16968 PHISHING-SPAM bassmax.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"steadfig.ru"; nocase; classtype:policy-violation; 16969 PHISHING-SPAM steadfig.ru known spam email attempt protocol-command-decode tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; 1697 ORACLE alter database attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugsmayne5a.ru"; nocase; classtype:policy-violation; 16970 PHISHING-SPAM drugsmayne5a.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"mystick.ru"; nocase; classtype:policy-violation; 16971 PHISHING-SPAM mystick.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugsrey95a.ru"; nocase; classtype:policy-violation; 16972 PHISHING-SPAM drugsrey95a.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"milklowly.ru"; nocase; classtype:policy-violation; 16973 PHISHING-SPAM milklowly.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"numberenough.ru"; nocase; classtype:policy-violation; 16974 PHISHING-SPAM numberenough.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oldsheer.ru"; nocase; classtype:policy-violation; 16975 PHISHING-SPAM oldsheer.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"logzest.ru"; nocase; classtype:policy-violation; 16976 PHISHING-SPAM logzest.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"energypotent.ru"; nocase; classtype:policy-violation; 16977 PHISHING-SPAM energypotent.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"outhave.ru"; nocase; classtype:policy-violation; 16978 PHISHING-SPAM outhave.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"solvecalm.ru"; nocase; classtype:policy-violation; 16979 PHISHING-SPAM solvecalm.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"stillvisit.ru"; nocase; classtype:policy-violation; 16980 PHISHING-SPAM stillvisit.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"livelycall.ru"; nocase; classtype:policy-violation; 16981 PHISHING-SPAM livelycall.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"64.com1.ru"; nocase; classtype:policy-violation; 16982 PHISHING-SPAM 64.com1.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"heatsettle.ru"; nocase; classtype:policy-violation; 16983 PHISHING-SPAM heatsettle.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"freshmuch.ru"; nocase; classtype:policy-violation; 16984 PHISHING-SPAM freshmuch.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"extoleye.ru"; nocase; classtype:policy-violation; 16985 PHISHING-SPAM extoleye.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"extoleye.ru"; nocase; classtype:policy-violation; 16986 PHISHING-SPAM extoleye.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabemmerich86b.ru"; nocase; classtype:policy-violation; 16987 PHISHING-SPAM tabemmerich86b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"moderneight.ru"; nocase; classtype:policy-violation; 16988 PHISHING-SPAM moderneight.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabferd49a.ru"; nocase; classtype:policy-violation; 16989 PHISHING-SPAM tabferd49a.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"nextmail.ru"; nocase; classtype:policy-violation; 16990 PHISHING-SPAM nextmail.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"fruitone.ru"; nocase; classtype:policy-violation; 16991 PHISHING-SPAM fruitone.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"liquideat.ru"; nocase; classtype:policy-violation; 16992 PHISHING-SPAM liquideat.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabwinn2a.ru"; nocase; classtype:policy-violation; 16993 PHISHING-SPAM tabwinn2a.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"abletool.ru"; nocase; classtype:policy-violation; 16994 PHISHING-SPAM abletool.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"miltyrefil.ru"; nocase; classtype:policy-violation; 16995 PHISHING-SPAM miltyrefil.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"quincytab.ru"; nocase; classtype:policy-violation; 16996 PHISHING-SPAM quincytab.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"giacoporx.ru"; nocase; classtype:policy-violation; 16997 PHISHING-SPAM giacoporx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugsnevile.ru"; nocase; classtype:policy-violation; 16998 PHISHING-SPAM drugsnevile.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"jasemed.ru"; nocase; classtype:policy-violation; 16999 PHISHING-SPAM jasemed.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ximenezdrug.ru"; nocase; classtype:policy-violation; 17000 PHISHING-SPAM ximenezdrug.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"dillonline.ru"; nocase; classtype:policy-violation; 17001 PHISHING-SPAM dillonline.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"swellliquid.ru"; nocase; classtype:policy-violation; 17002 PHISHING-SPAM swellliquid.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"younglaugh.ru"; nocase; classtype:policy-violation; 17003 PHISHING-SPAM younglaugh.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"2047757.kaskad-travel.ru"; nocase; classtype:policy-violation; 17004 PHISHING-SPAM 2047757.kaskad-travel.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"paintwater.ru"; nocase; classtype:policy-violation; 17005 PHISHING-SPAM paintwater.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"lovingover.ru"; nocase; classtype:policy-violation; 17006 PHISHING-SPAM lovingover.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pharmerastus.ru"; nocase; classtype:policy-violation; 17007 PHISHING-SPAM pharmerastus.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"hisoffer.ru"; nocase; classtype:policy-violation; 17008 PHISHING-SPAM hisoffer.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"butleft.ru"; nocase; classtype:policy-violation; 17009 PHISHING-SPAM butleft.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"starknow.ru"; nocase; classtype:policy-violation; 17010 PHISHING-SPAM starknow.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"beginwisdom.ru"; nocase; classtype:policy-violation; 17011 PHISHING-SPAM beginwisdom.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oneus.ru"; nocase; classtype:policy-violation; 17012 PHISHING-SPAM oneus.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"reapcomfy.ru"; nocase; classtype:policy-violation; 17013 PHISHING-SPAM reapcomfy.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"rowsay.ru"; nocase; classtype:policy-violation; 17014 PHISHING-SPAM rowsay.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pamperletter.ru"; nocase; classtype:policy-violation; 17015 PHISHING-SPAM pamperletter.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"boxdouble.ru"; nocase; classtype:policy-violation; 17016 PHISHING-SPAM boxdouble.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"beatmoon.ru"; nocase; classtype:policy-violation; 17017 PHISHING-SPAM beatmoon.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ensureequate.ru"; nocase; classtype:policy-violation; 17018 PHISHING-SPAM ensureequate.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"miltyrefil.ru"; nocase; classtype:policy-violation; 17019 PHISHING-SPAM miltyrefil.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"sheerwheel.ru"; nocase; classtype:policy-violation; 17020 PHISHING-SPAM sheerwheel.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"nearpass.ru"; nocase; classtype:policy-violation; 17021 PHISHING-SPAM nearpass.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"thatmile.ru"; nocase; classtype:policy-violation; 17022 PHISHING-SPAM thatmile.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"hillfoot.ru"; nocase; classtype:policy-violation; 17023 PHISHING-SPAM hillfoot.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"writeobject.ru"; nocase; classtype:policy-violation; 17024 PHISHING-SPAM writeobject.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"thoughthese.ru"; nocase; classtype:policy-violation; 17025 PHISHING-SPAM thoughthese.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"redlead.ru"; nocase; classtype:policy-violation; 17026 PHISHING-SPAM redlead.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pamperletter.ru"; nocase; classtype:policy-violation; 17028 PHISHING-SPAM pamperletter.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tenderpower.ru"; nocase; classtype:policy-violation; 17029 PHISHING-SPAM tenderpower.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"fewvalley.ru"; nocase; classtype:policy-violation; 17030 PHISHING-SPAM fewvalley.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"burnshy.ru"; nocase; classtype:policy-violation; 17031 PHISHING-SPAM burnshy.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"centtry.ru"; nocase; classtype:policy-violation; 17032 PHISHING-SPAM centtry.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"signpearl.ru"; nocase; classtype:policy-violation; 17033 PHISHING-SPAM signpearl.ru known spam email attempt 40097 attempted-dos 2010-1635 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|FF|SMBs|00 00 00 00 18 03 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:100; offset:4; metadata:service netbios-ssn; classtype:attempted-dos; 17151 SPECIFIC-THREATS Samba smbd flags2 header parsing denial of service attempt - 1 40097 attempted-dos 2010-1635 tcp $EXTERNAL_NET any -> $HOME_NET [139,445] flow:to_server,established; content:"|FF|SMBs|00 00 00 00 18 01 C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:100; offset:4; metadata:service netbios-ssn; classtype:attempted-dos; 17152 SPECIFIC-THREATS Samba smbd flags2 header parsing denial of service attempt - 2 40403 attempted-admin 2010-1938 tcp $EXTERNAL_NET any -> $HOME_NET 21 flow:to_server,established; content:"USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; metadata:service ftp; classtype:attempted-admin; 17155 SPECIFIC-THREATS Multiple vendors OPIE off-by-one stack buffer overflow attempt attempted-user 2005-3382 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established,no_stream; content:"Content|2D|Type|3A 20|text|2F|html"; fast_pattern:3,20; nocase; http_header; file_data; pcre:"/^(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/R"; classtype:attempted-user; 17276 MISC Multiple vendor Antivirus magic byte detection evasion attempt attempted-user 2005-3382 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established,no_stream; content:"Content|2D|Type|3A 20|message|2F|rfc822"; fast_pattern:8,20; nocase; http_header; pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; classtype:attempted-user; 17277 WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt attempted-user 2005-3382 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established,no_stream; content:"Content|2D|Type|3A 20|application|2F|bat"; fast_pattern:9,20; nocase; http_header; pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; classtype:attempted-user; 17278 WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt attempted-user 2005-3922 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"Rar!|1A|"; within:5; content:"|77|"; content:"|01 01 00|"; within:3; distance:8; byte_test:2,>,3168,0,relative; classtype:attempted-user; 17282 MISC Panda Antivirus ZOO archive decompression buffer overflow attempt 30418 attempted-user 2008-3408 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Content-Type|3A| audio|2F|x-mpegurl"; http_header; content:"aaaaaaaaaaaaa"; nocase; classtype:attempted-user; 17309 SPECIFIC-THREATS CoolPlayer Playlist File Handling Buffer Overflow 15907 attempted-user 2005-3652 udp $EXTERNAL_NET 1604 -> $HOME_NET any content:"|04 33|"; depth:2; offset:2; isdataat:292,relative; pcre:"/\x04\x33.{36}[^\n]{256}/smi"; classtype:attempted-user; 17326 EXPLOIT Citrix Program Neighborhood Client buffer overflow attempt 4628 web-application-attack 2002-0354 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; classtype:web-application-attack; 1735 WEB-CLIENT XMLHttpRequest attempt 14359 attempted-user 2005-2450 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|50 4D 47 4C 4A 0D 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 01 2F 00 00 00 8F FF FF FF 7F 58 48 44 52|"; classtype:attempted-user; 17352 EXPLOIT ClamAV CHM File Handling Integer Overflow attempt 14773 attempted-admin 2005-2903 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; file_data; content:"|60 EA|"; within:2; byte_jump:2,0,relative,little; content:"|60 EA|"; within:2; distance:6; byte_test:2,>,256,0,relative,little; classtype:attempted-admin; 17356 EXPLOIT NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow attempt 14866 attempted-user 2005-2920 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:from_server,established; content:"|55 50 58 31 00 00 00 00 00 50 00 00 00 10 10 00 00 48 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0|"; content:"|D7 FE EF 14 02 2D 8B F8 8D 44 24 18 50 FF 74 04 10 03 7F 1D 2F FF 6F DF 8B D8 19 B5 2E 18 5F 5E 8B C3 5B C3 83 3D E8 A6 02 74 05 BE BD EB 76 16|"; distance:0; classtype:attempted-user; 17358 EXPLOIT ClamAV UPX File Handling Buffer Overflow attempt 4612 web-application-attack 2002-0614 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/global.inc"; nocase; http_uri; metadata:service http; classtype:web-application-attack; 1738 WEB-MISC global.inc access 4621 web-application-attack tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"secure_site, ok"; nocase; metadata:service http; classtype:web-application-attack; 1744 WEB-MISC SecureSite authentication bypass attempt 4631 misc-attack 2002-0084 tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 flow:to_server,established; isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; fast_pattern:only; classtype:misc-attack; 1751 EXPLOIT cachefsd buffer overflow attempt 10951 misc-attack tcp $AIM_SERVERS any -> $HOME_NET any flow:to_client,established; content:"aim|3A|AddExternalApp?"; fast_pattern:only; classtype:misc-attack; 1752 MISC AIM AddExternalApp attempt www.w00w00.org/files/w00aimexp/ 33342 attempted-admin 2009-0270 udp $EXTERNAL_NET any -> $HOME_NET 4011 dsize:>1024; classtype:attempted-admin; 17524 SPECIFIC-THREATS Fujitsu SystemcastWizard Lite PXEService UDP Handling Buffer Overflow 23483 attempted-admin 2007-1674 udp $EXTERNAL_NET any -> $HOME_NET 65535 dsize:>268; classtype:attempted-admin; 17567 SPECIFIC-THREATS LANDesk Management Suite Alerting Service buffer overflow 13793 web-application-attack 2005-1747 tcp $EXTERNAL_NET any -> $HOME_NET 7001 flow:to_server,established; content:"/console/login/LoginForm.jsp?j_password=|22 22|onBlur=|22|window.open"; nocase; http_uri; classtype:web-application-attack; 17569 EXPLOIT BEA Weblogic Admin Console Cross Site Scripting Vulnerability attempt 4673 web-application-attack 2002-1466 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/b2/b2-include/"; http_uri; content:"b2inc"; content:"http|3A|//"; metadata:service http; classtype:web-application-attack; 1757 WEB-MISC b2 arbitrary command execution attempt 11667 21565 attempted-admin 2006-6222 tcp $EXTERNAL_NET any -> $HOME_NET 13782 flow:to_server,established; content:"|00 18 00 24 00 01 00 00 EE 0B|"; depth:10; classtype:attempted-admin; 17657 EXPLOIT Symantec NetBackup BPCD Daemon exploit attempt 1684 web-application-attack 2000-0835 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.dll"; http_uri; content:"query=%00"; metadata:service http; classtype:web-application-attack; 1766 WEB-MISC search.dll directory listing attempt 10514 22630 attempted-user 2007-1071 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; file_data; content:"GIF8"; within:4; content:"a"; within:1; distance:1; byte_test:1,!&,0x80,4,relative; pcre:"/^.{7}\x2C.{5}([\xE0-\xFF]|.{2}[\xE0-\xFF])/sR"; metadata:service http; classtype:attempted-user; 17664 WEB-CLIENT GIF image descriptor memory corruption attempt www.microsoft.com/technet/security/bulletin/ms06-039.mspx 29509 attempted-dos 2008-1441 ip $HOME_NET any -> $HOME_NET any gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|17667; 17667 MISC Windows Pragmatic General Multicast Protocol memory consumption denial of service attempt www.microsoft.com/technet/security/bulletin/ms08-036.mspx 1684 web-application-activity 2000-0835 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/search.dll"; http_uri; metadata:service http; classtype:web-application-activity; 1767 WEB-MISC search.dll access 10514 web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/.DS_Store"; http_uri; metadata:service http; classtype:web-application-activity; 1769 WEB-MISC .DS_Store access www.macintouch.com/mosxreaderreports46.html 29623 attempted-admin 2008-0960 udp $EXTERNAL_NET any -> $HOME_NET 161 gid:3; classtype:attempted-admin; metadata: engine shared, soid 3|17699, service snmp; 17699 SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt web-application-activity tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:to_server,established; content:"/.FBCIndex"; http_uri; metadata:service http; classtype:web-application-activity; 1770 WEB-MISC .FBCIndex access www.securiteam.com/securitynews/5LP0O005FS.html 18858 attempted-user 2006-0026 tcp $EXTERNAL_NET any -> $HOME_NET 1958 flow:established,to_server; content:"<!--|23|include file=|22 61 61 61 61 61 61 61 61|"; fast_pattern:only; nocase; metadata:service http; classtype:attempted-user; 17724 SPECIFIC-THREATS malicious ASP file upload attempt www.microsoft.com/technet/security/bulletin/ms06-034.mspx shellcode-detect ip $EXTERNAL_NET any -> $HOME_NET any gid:3; classtype:shellcode-detect; metadata: engine shared, soid 3|17775; 17775 SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected 34086 attempted-admin 2008-4564 tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 flow:established,to_server; content:"=FFWPC=3D=06=00=00=01=0A"; nocase; content:"=D5ju=FC=16=F8=AE2"; distance:0; nocase; metadata:service smtp; classtype:attempted-admin; 17777 SPECIFIC-THREATS IBM Lotus Notes WPD attachment handling buffer overflow 13944 attempted-user 2006-3448 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"Microsoft Interactive Training]"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43|"; content:"Syllabus="; content:"|41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; classtype:attempted-user; 17780 SPECIFIC-THREATS CBO CBL CBM buffer overflow attempt 18492 www.microsoft.com/technet/security/bulletin/MS05-031.mspx protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|16|"; depth:1; offset:7; classtype:protocol-command-decode; 17782 SCADA Modbus write multiple registers from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|06|"; depth:1; offset:7; classtype:protocol-command-decode; 17783 SCADA Modbus write single register from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|05|"; depth:1; offset:7; classtype:protocol-command-decode; 17784 SCADA Modbus write single coil from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|15|"; depth:1; offset:7; classtype:protocol-command-decode; 17785 SCADA Modbus write multiple coils from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|21|"; depth:1; offset:7; classtype:protocol-command-decode; 17786 SCADA Modbus write file record from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|02|"; depth:1; offset:7; classtype:protocol-command-decode; 17787 SCADA Modbus read discrete inputs from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|01|"; depth:1; offset:7; classtype:protocol-command-decode; 17788 SCADA Modbus read coils from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|04|"; depth:1; offset:7; classtype:protocol-command-decode; 17789 SCADA Modbus read input register from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|03|"; depth:1; offset:7; classtype:protocol-command-decode; 17790 SCADA Modbus read holding registers from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|23|"; depth:1; offset:7; classtype:protocol-command-decode; 17791 SCADA Modbus read/write multiple registers from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|24|"; depth:1; offset:7; classtype:protocol-command-decode; 17792 SCADA Modbus read fifo queue from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|20|"; depth:1; offset:7; classtype:protocol-command-decode; 17793 SCADA Modbus read file record from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|07|"; depth:1; offset:7; classtype:protocol-command-decode; 17794 SCADA Modbus read exception status from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|08|"; depth:1; offset:7; classtype:protocol-command-decode; 17795 SCADA Modbus initiate diagnostic from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|11|"; depth:1; offset:7; classtype:protocol-command-decode; 17796 SCADA Modbus get com event counter from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|12|"; depth:1; offset:7; classtype:protocol-command-decode; 17797 SCADA Modbus get com event log from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|17|"; depth:1; offset:7; classtype:protocol-command-decode; 17798 SCADA Modbus report slave id from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|43|"; depth:1; offset:7; classtype:protocol-command-decode; 17799 SCADA Modbus read device identification from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf protocol-command-decode tcp $EXTERNAL_NET any -> $HOME_NET 502 flow:established,to_server; content:"|22|"; depth:1; offset:7; classtype:protocol-command-decode; 17800 SCADA Modbus mask write register from external source www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET 1024: flow:to_server,established; content:"|0A|USER VirUs|20 22 22 20 22|lol|22 20 3A|"; fast_pattern:only; classtype:trojan-activity; 17805 SPYWARE-PUT Worm.Win32.Neeris.BF contact to server attempt www.virustotal.com/latest-report.html?resource=968470dd871f3047cf48b23f0c83985f trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/reques0.asp?kind=006&mac="; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17899 BLACKLIST URI request for known malicious URI - /reques0.asp?kind=006&mac= labs.snort.org/docs/17899.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/basic/cn3c2/c"; nocase; http_uri; pcre:"//basic/cn3c2/c.*dll/Ui"; metadata:service http; classtype:trojan-activity; 17900 BLACKLIST URI request for known malicious URI - /basic/cn3c2/c.*dll labs.snort.org/docs/17900.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/mybackup21.rar"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17901 BLACKLIST URI request for known malicious URI - /mybackup21.rar labs.snort.org/docs/17901.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/?getexe=loader.exe"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17902 BLACKLIST URI request for known malicious URI - /?getexe=loader.exe labs.snort.org/docs/17902.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"stid="; nocase; http_uri; content:"unq="; nocase; http_uri; content:"hs=www.play65.com"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17903 BLACKLIST URI request for known malicious URI - stid= labs.snort.org/docs/17903.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/tongji.js"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17904 BLACKLIST URI request for known malicious URI - /tongji.js labs.snort.org/docs/17904.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/MNG/Download/?File=AZF:|7C|DATADIR|7C|Download"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17907 BLACKLIST URI request for known malicious URI - /MNG/Download/?File=AZF|DATADIR|Download labs.snort.org/docs/17907.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/images/crypt_22.exe"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17908 BLACKLIST URI request for known malicious URI - /images/crypt_22.exe labs.snort.org/docs/17908.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/images/css/1.exe"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17909 BLACKLIST URI request for known malicious URI - /images/css/1.exe labs.snort.org/docs/17909.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/7xdown.exe"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17910 BLACKLIST URI request for known malicious URI - /7xdown.exe labs.snort.org/docs/17910.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/winhelper.exe"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17911 BLACKLIST URI request for known malicious URI - /winhelper.exe labs.snort.org/docs/17911.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/upopwin/count.asp?mac="; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17912 BLACKLIST URI request for known malicious URI - /upopwin/count.asp?mac= labs.snort.org/docs/17912.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/ok.exe"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17913 BLACKLIST URI request for known malicious URI - /ok.exe labs.snort.org/docs/17913.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/LjBin/Bin.Dll"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17914 BLACKLIST URI request for known malicious URI - /LjBin/Bin.Dll labs.snort.org/docs/17914.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/1001ns/cfg3n.bin"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17915 BLACKLIST URI request for known malicious URI - /1001ns/cfg3n.bin labs.snort.org/docs/17915.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/dh/stats.bin"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17916 BLACKLIST URI request for known malicious URI - /dh/stats.bin labs.snort.org/docs/17916.html trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:to_server,established; content:"/zeus/config.bin"; nocase; http_uri; metadata:service http; classtype:trojan-activity; 17917 BLACKLIST URI request for known malicious URI - /zeus/config.bin labs.snort.org/docs/17917.html policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"aaof.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 17918 PHISHING-SPAM aaof.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"akiq.onlinetommie54y.ru"; nocase; classtype:policy-violation; 17919 PHISHING-SPAM akiq.onlinetommie54y.ru known spam email attempt 4900 protocol-command-decode 2002-0909 tcp $EXTERNAL_NET 119 -> $HOME_NET any flow:to_client,established; content:"200"; isdataat:256,relative; pcre:"/^200\s[^\n]{256}/smi"; metadata:service nntp; classtype:protocol-command-decode; 1792 NNTP return code buffer overflow attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"aobuii.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 17920 PHISHING-SPAM aobuii.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"argue.medrayner44c.ru"; nocase; classtype:policy-violation; 17921 PHISHING-SPAM argue.medrayner44c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ava.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17922 PHISHING-SPAM ava.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"axoseb.medicdrugsxck.ru"; nocase; classtype:policy-violation; 17923 PHISHING-SPAM axoseb.medicdrugsxck.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"azo.onlinetommie54y.ru"; nocase; classtype:policy-violation; 17924 PHISHING-SPAM azo.onlinetommie54y.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"back.pharmroyce83b.ru"; nocase; classtype:policy-violation; 17925 PHISHING-SPAM back.pharmroyce83b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"by.pharmroyce83b.ru"; nocase; classtype:policy-violation; 17926 PHISHING-SPAM by.pharmroyce83b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"cardinals.refilldud86o.ru"; nocase; classtype:policy-violation; 17927 PHISHING-SPAM cardinals.refilldud86o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"chemist.onlineruggiero33q.ru"; nocase; classtype:policy-violation; 17928 PHISHING-SPAM chemist.onlineruggiero33q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"chula.pharmroyce83b.ru"; nocase; classtype:policy-violation; 17929 PHISHING-SPAM chula.pharmroyce83b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"classification.refillreade47j.ru"; nocase; classtype:policy-violation; 17930 PHISHING-SPAM classification.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"compensate.refilldud86o.ru"; nocase; classtype:policy-violation; 17931 PHISHING-SPAM compensate.refilldud86o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"cswjlxey.ru"; nocase; classtype:policy-violation; 17932 PHISHING-SPAM cswjlxey.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"current.refillreade47j.ru"; nocase; classtype:policy-violation; 17933 PHISHING-SPAM current.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"cyacaz.pilltodd73p.ru"; nocase; classtype:policy-violation; 17934 PHISHING-SPAM cyacaz.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"deepcenter.ru"; nocase; classtype:policy-violation; 17935 PHISHING-SPAM deepcenter.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"delegate.refillreade47j.ru"; nocase; classtype:policy-violation; 17936 PHISHING-SPAM delegate.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"diet.medrayner44c.ru"; nocase; classtype:policy-violation; 17937 PHISHING-SPAM diet.medrayner44c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"direct.refillreade47j.ru"; nocase; classtype:policy-violation; 17938 PHISHING-SPAM direct.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"divyo.pillking74s.ru"; nocase; classtype:policy-violation; 17939 PHISHING-SPAM divyo.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"drugsgeorge65g.ru"; nocase; classtype:policy-violation; 17940 PHISHING-SPAM drugsgeorge65g.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"dux.erectnoll24k.ru"; nocase; classtype:policy-violation; 17941 PHISHING-SPAM dux.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"dypoh.erectjefferey85n.ru"; nocase; classtype:policy-violation; 17942 PHISHING-SPAM dypoh.erectjefferey85n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"eaihar.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17943 PHISHING-SPAM eaihar.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"eeez.onlinehamel83i.ru"; nocase; classtype:policy-violation; 17944 PHISHING-SPAM eeez.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"egi.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17945 PHISHING-SPAM egi.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ehyw.cumedicdrugsx.ru"; nocase; classtype:policy-violation; 17946 PHISHING-SPAM ehyw.cumedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"eka.onlinehamel83i.ru"; nocase; classtype:policy-violation; 17947 PHISHING-SPAM eka.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"election.refillreade47j.ru"; nocase; classtype:policy-violation; 17948 PHISHING-SPAM election.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"elik.drugslevy46b.ru"; nocase; classtype:policy-violation; 17949 PHISHING-SPAM elik.drugslevy46b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"epeno.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 17950 PHISHING-SPAM epeno.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"erectgodart30s.ru"; nocase; classtype:policy-violation; 17951 PHISHING-SPAM erectgodart30s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"erol.camedicdrugsx.ru"; nocase; classtype:policy-violation; 17952 PHISHING-SPAM erol.camedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"exa.drugslevy46b.ru"; nocase; classtype:policy-violation; 17953 PHISHING-SPAM exa.drugslevy46b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"eyu.onlinehamel83i.ru"; nocase; classtype:policy-violation; 17954 PHISHING-SPAM eyu.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"fashionchannel.ru"; nocase; classtype:policy-violation; 17955 PHISHING-SPAM fashionchannel.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"fauxy.pillking74s.ru"; nocase; classtype:policy-violation; 17956 PHISHING-SPAM fauxy.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"food.refillreade47j.ru"; nocase; classtype:policy-violation; 17957 PHISHING-SPAM food.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"generality.onlinehill21q.ru"; nocase; classtype:policy-violation; 17958 PHISHING-SPAM generality.onlinehill21q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"goyry.ramedicdrugsx.ru"; nocase; classtype:policy-violation; 17959 PHISHING-SPAM goyry.ramedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"gueepa.erectnoll24k.ru"; nocase; classtype:policy-violation; 17960 PHISHING-SPAM gueepa.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"has.refillreade47j.ru"; nocase; classtype:policy-violation; 17961 PHISHING-SPAM has.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"have.medrayner44c.ru"; nocase; classtype:policy-violation; 17962 PHISHING-SPAM have.medrayner44c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"headtest.ru"; nocase; classtype:policy-violation; 17963 PHISHING-SPAM headtest.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"huhuh.pilltodd73p.ru"; nocase; classtype:policy-violation; 17964 PHISHING-SPAM huhuh.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"hyem.pilltodd73p.ru"; nocase; classtype:policy-violation; 17965 PHISHING-SPAM hyem.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"icysa.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17966 PHISHING-SPAM icysa.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iiy.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17967 PHISHING-SPAM iiy.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iki.onlinetommie54y.ru"; nocase; classtype:policy-violation; 17968 PHISHING-SPAM iki.onlinetommie54y.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iner.medicdrugsxdl.ru"; nocase; classtype:policy-violation; 17969 PHISHING-SPAM iner.medicdrugsxdl.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"in.onlinehill21q.ru"; nocase; classtype:policy-violation; 17970 PHISHING-SPAM in.onlinehill21q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"intelpost.ru"; nocase; classtype:policy-violation; 17971 PHISHING-SPAM intelpost.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"inunuw.medicdrugsxpo.ru"; nocase; classtype:policy-violation; 17972 PHISHING-SPAM inunuw.medicdrugsxpo.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ipiig.drugslevy46b.ru"; nocase; classtype:policy-violation; 17973 PHISHING-SPAM ipiig.drugslevy46b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iqor.pilltodd73p.ru"; nocase; classtype:policy-violation; 17974 PHISHING-SPAM iqor.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"is.medrayner44c.ru"; nocase; classtype:policy-violation; 17975 PHISHING-SPAM is.medrayner44c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"itaca.erectnoll24k.ru"; nocase; classtype:policy-violation; 17976 PHISHING-SPAM itaca.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ive.pilltodd73p.ru"; nocase; classtype:policy-violation; 17977 PHISHING-SPAM ive.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iweqyz.erectjefferey85n.ru"; nocase; classtype:policy-violation; 17978 PHISHING-SPAM iweqyz.erectjefferey85n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iycyde.medicdrugsxco.ru"; nocase; classtype:policy-violation; 17979 PHISHING-SPAM iycyde.medicdrugsxco.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"iyw.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17980 PHISHING-SPAM iyw.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"jaecoh.erectnoll24k.ru"; nocase; classtype:policy-violation; 17981 PHISHING-SPAM jaecoh.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"jael.pillking74s.ru"; nocase; classtype:policy-violation; 17982 PHISHING-SPAM jael.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"jex.remedicdrugsx.ru"; nocase; classtype:policy-violation; 17983 PHISHING-SPAM jex.remedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"john.onlinehill21q.ru"; nocase; classtype:policy-violation; 17984 PHISHING-SPAM john.onlinehill21q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"joseph.refillreade47j.ru"; nocase; classtype:policy-violation; 17985 PHISHING-SPAM joseph.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"jyn.medicdrugsxdl.ru"; nocase; classtype:policy-violation; 17986 PHISHING-SPAM jyn.medicdrugsxdl.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"jyzyv.refilleldredge89r.ru"; nocase; classtype:policy-violation; 17987 PHISHING-SPAM jyzyv.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"koosaf.erectnoll24k.ru"; nocase; classtype:policy-violation; 17988 PHISHING-SPAM koosaf.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"lybah.pilltodd73p.ru"; nocase; classtype:policy-violation; 17989 PHISHING-SPAM lybah.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"manila.onlinephilbert42f.ru"; nocase; classtype:policy-violation; 17990 PHISHING-SPAM manila.onlinephilbert42f.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"masa.erectjefferey85n.ru"; nocase; classtype:policy-violation; 17991 PHISHING-SPAM masa.erectjefferey85n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"medpenny17j.ru"; nocase; classtype:policy-violation; 17992 PHISHING-SPAM medpenny17j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"minionspre.ru"; nocase; classtype:policy-violation; 17993 PHISHING-SPAM minionspre.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"nazuwu.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 17994 PHISHING-SPAM nazuwu.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"negotiations.refilldud86o.ru"; nocase; classtype:policy-violation; 17995 PHISHING-SPAM negotiations.refilldud86o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"niqiv.erectjefferey85n.ru"; nocase; classtype:policy-violation; 17996 PHISHING-SPAM niqiv.erectjefferey85n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"odimys.medicdrugsxlb.ru"; nocase; classtype:policy-violation; 17997 PHISHING-SPAM odimys.medicdrugsxlb.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"odoog.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 17998 PHISHING-SPAM odoog.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oekaka.aimedicdrugsx.ru"; nocase; classtype:policy-violation; 17999 PHISHING-SPAM oekaka.aimedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oeqio.erectnoll24k.ru"; nocase; classtype:policy-violation; 18000 PHISHING-SPAM oeqio.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"of.onlinephilbert42f.ru"; nocase; classtype:policy-violation; 18001 PHISHING-SPAM of.onlinephilbert42f.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"of.refilldud86o.ru"; nocase; classtype:policy-violation; 18002 PHISHING-SPAM of.refilldud86o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"of.refillreade47j.ru"; nocase; classtype:policy-violation; 18003 PHISHING-SPAM of.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oipek.onlinehamel83i.ru"; nocase; classtype:policy-violation; 18004 PHISHING-SPAM oipek.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oji.medicdrugsxto.ru"; nocase; classtype:policy-violation; 18005 PHISHING-SPAM oji.medicdrugsxto.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"onotye.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 18006 PHISHING-SPAM onotye.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"opy.erectjefferey85n.ru"; nocase; classtype:policy-violation; 18007 PHISHING-SPAM opy.erectjefferey85n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"orderbuzz.ru"; nocase; classtype:policy-violation; 18008 PHISHING-SPAM orderbuzz.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ouu.almedicdrugsx.ru"; nocase; classtype:policy-violation; 18009 PHISHING-SPAM ouu.almedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"oxuc.pillking74s.ru"; nocase; classtype:policy-violation; 18010 PHISHING-SPAM oxuc.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"pillrolfe64l.ru"; nocase; classtype:policy-violation; 18011 PHISHING-SPAM pillrolfe64l.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"recently.refilldud86o.ru"; nocase; classtype:policy-violation; 18012 PHISHING-SPAM recently.refilldud86o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"records.onlinephilbert42f.ru"; nocase; classtype:policy-violation; 18013 PHISHING-SPAM records.onlinephilbert42f.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"reobaj.onlinehamel83i.ru"; nocase; classtype:policy-violation; 18014 PHISHING-SPAM reobaj.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"research.onlinehill21q.ru"; nocase; classtype:policy-violation; 18015 PHISHING-SPAM research.onlinehill21q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"returning.refillreade47j.ru"; nocase; classtype:policy-violation; 18016 PHISHING-SPAM returning.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"right.refillreade47j.ru"; nocase; classtype:policy-violation; 18017 PHISHING-SPAM right.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"riwaro.erectjefferey85n.ru"; nocase; classtype:policy-violation; 18018 PHISHING-SPAM riwaro.erectjefferey85n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ruuav.erectnoll24k.ru"; nocase; classtype:policy-violation; 18019 PHISHING-SPAM ruuav.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ryhux.medicdrugsxpa.ru"; nocase; classtype:policy-violation; 18020 PHISHING-SPAM ryhux.medicdrugsxpa.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"software-buyshop-7.ru"; nocase; classtype:policy-violation; 18021 PHISHING-SPAM software-buyshop-7.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"specialyou.ru"; nocase; classtype:policy-violation; 18022 PHISHING-SPAM specialyou.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"starring.pharmroyce83b.ru"; nocase; classtype:policy-violation; 18023 PHISHING-SPAM starring.pharmroyce83b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"store-softwarebuy-7.ru"; nocase; classtype:policy-violation; 18024 PHISHING-SPAM store-softwarebuy-7.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"sya.onlinehamel83i.ru"; nocase; classtype:policy-violation; 18025 PHISHING-SPAM sya.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabdarin80s.ru"; nocase; classtype:policy-violation; 18026 PHISHING-SPAM tabdarin80s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabgordan13n.ru"; nocase; classtype:policy-violation; 18027 PHISHING-SPAM tabgordan13n.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tablangston19a.ru"; nocase; classtype:policy-violation; 18028 PHISHING-SPAM tablangston19a.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tabwebster77c.ru"; nocase; classtype:policy-violation; 18029 PHISHING-SPAM tabwebster77c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tanuen.dimedicdrugsx.ru"; nocase; classtype:policy-violation; 18030 PHISHING-SPAM tanuen.dimedicdrugsx.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"the.onlinehill21q.ru"; nocase; classtype:policy-violation; 18031 PHISHING-SPAM the.onlinehill21q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"the.onlineruggiero33q.ru"; nocase; classtype:policy-violation; 18032 PHISHING-SPAM the.onlineruggiero33q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"to.medrayner44c.ru"; nocase; classtype:policy-violation; 18033 PHISHING-SPAM to.medrayner44c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"trails.pharmroyce83b.ru"; nocase; classtype:policy-violation; 18034 PHISHING-SPAM trails.pharmroyce83b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"trusting-me.ru"; nocase; classtype:policy-violation; 18035 PHISHING-SPAM trusting-me.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"twodays.ru"; nocase; classtype:policy-violation; 18036 PHISHING-SPAM twodays.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"tyqaja.pilltodd73p.ru"; nocase; classtype:policy-violation; 18037 PHISHING-SPAM tyqaja.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"uboi.onlinehamel83i.ru"; nocase; classtype:policy-violation; 18038 PHISHING-SPAM uboi.onlinehamel83i.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"uf.drugslevy46b.ru"; nocase; classtype:policy-violation; 18039 PHISHING-SPAM uf.drugslevy46b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"uielij.pillking74s.ru"; nocase; classtype:policy-violation; 18040 PHISHING-SPAM uielij.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"unasu.medicdrugsxto.ru"; nocase; classtype:policy-violation; 18041 PHISHING-SPAM unasu.medicdrugsxto.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"upazo.pilltodd73p.ru"; nocase; classtype:policy-violation; 18042 PHISHING-SPAM upazo.pilltodd73p.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"utuqaj.pillking74s.ru"; nocase; classtype:policy-violation; 18043 PHISHING-SPAM utuqaj.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"uuji.refilleldredge89r.ru"; nocase; classtype:policy-violation; 18044 PHISHING-SPAM uuji.refilleldredge89r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"variation.refilldud86o.ru"; nocase; classtype:policy-violation; 18045 PHISHING-SPAM variation.refilldud86o.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"via.refillreade47j.ru"; nocase; classtype:policy-violation; 18046 PHISHING-SPAM via.refillreade47j.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"voiceless.pharmroyce83b.ru"; nocase; classtype:policy-violation; 18047 PHISHING-SPAM voiceless.pharmroyce83b.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"was.medrayner44c.ru"; nocase; classtype:policy-violation; 18048 PHISHING-SPAM was.medrayner44c.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"world.onlinehill21q.ru"; nocase; classtype:policy-violation; 18050 PHISHING-SPAM world.onlinehill21q.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"www.buhni.ru"; nocase; classtype:policy-violation; 18051 PHISHING-SPAM www.buhni.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"www.visitcover.ru"; nocase; classtype:policy-violation; 18052 PHISHING-SPAM www.visitcover.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"xob.erectnoll24k.ru"; nocase; classtype:policy-violation; 18053 PHISHING-SPAM xob.erectnoll24k.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ygy.onlinetommie54y.ru"; nocase; classtype:policy-violation; 18054 PHISHING-SPAM ygy.onlinetommie54y.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"yit.medicdrugsxor.ru"; nocase; classtype:policy-violation; 18055 PHISHING-SPAM yit.medicdrugsxor.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ylum.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 18056 PHISHING-SPAM ylum.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"ymyuto.onlinelewiss22r.ru"; nocase; classtype:policy-violation; 18057 PHISHING-SPAM ymyuto.onlinelewiss22r.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"yomy.pillking74s.ru"; nocase; classtype:policy-violation; 18058 PHISHING-SPAM yomy.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"yzugez.pillking74s.ru"; nocase; classtype:policy-violation; 18059 PHISHING-SPAM yzugez.pillking74s.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"zeroprices.ru"; nocase; classtype:policy-violation; 18060 PHISHING-SPAM zeroprices.ru known spam email attempt policy-violation tcp $EXTERNAL_NET any -> $HOME_NET 25 flow:to_server, established; content:"zueuz.onlinehamel83i.ru"; nocase; classtype:policy-violation; 18061 PHISHING-SPAM zueuz.onlinehamel83i.ru known spam email attempt trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/first.html"; nocase; http_uri; content:"os=Windows"; nocase; metadata:service http; classtype:trojan-activity; 18098 BLACKLIST URI request for known malicious URI - /set/first.html www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"/cfg/"; nocase; http_uri; content:".plug"; fast_pattern; nocase; http_uri; pcre:"/\/cfg\/[A-Z]+\.plug/Ui"; metadata:service http; classtype:trojan-activity; 18099 BLACKLIST URI request for known malicious URI - /cfg/*.plug www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/ trojan-activity tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS flow:established,to_server; content:"POST"; nocase; http_method; content:"/nfoc.php"; fast_pattern; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; 18100 BOTNET-CNC Tidserv malware command and control channel traffic www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627 attempted-dos 2006-0647 tcp $EXTERNAL_NET any -> $HOME_NET [389,9833] gid:3; classtype:attempted-dos; metadata: engine shared, soid 3|18101; 18101 EXPLOIT Sun Directory Server LDAP denial of service attempt lists.immunitysec.com/pipermail/dailydave/2006-February/002914.html 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"mailto|3A|"; nocase; content:"|2E|bat"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ebat((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; classtype:attempted-user; 18171 EXPLOIT Multiple product mailto uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"mailto|3A|"; nocase; content:"|2E|cmd"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?(\x2Ecmd((?<=[\x25\x22].{4})|(?=(\x2520|\x20|\x26)))|(\x25|\x26\x23x|\x5cx)00)/i"; classtype:attempted-user; 18172 EXPLOIT Multiple product mailto uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx 25945 attempted-user 2007-4041 tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any flow:to_client,established; content:"mailto|3A|"; nocase; content:"|2E|com"; within:500; nocase; pcre:"/mailto\x3A[^\n]*?([\x25\x22]\x2Ecom|(\x25|\x26\x23x|\x5cx)00)/i"; classtype:attempted-user; 18173 EXPLOIT Multiple product mailto uri handling code execution attempt www.microsoft.com/technet/security/bulletin/ms07-057.mspx network-scan tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS flow:to_server,established; content:"proxyfire.net/fastenv"; nocase; http_uri; metadata:service http; classtype:network-scan; 18179 SCAN Proxyfire.net anonymous proxy scan www.proxyfire.net/index.php misc-activity tcp $EXTERNAL_NET any -> $HOME_NET 2533 flow:established,to_server; content:"|00 01|C"; depth:3; classtype:misc-activity; 1819 MISC Alcatel PABX 4400 connection attempt 11019 attempted-dos 2009-3676 tcp $EXTERNAL_NET 445 -> $HOME_NET any flow:to_client,established; dsize:4; content:"|00 00 00 01|"; depth:4; classtype:attempted-dos; 18195 SPECIFIC-THREATS SMB Negotiate Protocol response DoS attempt www.microsoft.com/technet/security/bulletin/MS10-020.mspx 2350 web-application-activity 2001-0319 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/ncommerce3/ExecMacro/orderdspc.d2w"; http_uri; metadata:service http; classtype:web-application-activity; 1820 WEB-MISC IBM Net.Commerce orderdspc.d2w access 11020 3241 system-call-detect 2001-1002 tcp $EXTERNAL_NET any -> $HOME_NET 515 flow:to_server,established; content:"psfile=|22|`"; classtype:system-call-detect; 1821 EXPLOIT LPD dvips remote command execution attempt 11023 35494 attempted-admin 2009-1628 tcp $EXTERNAL_NET any -> $HOME_NET [3985,3986] flow:to_server,established; content:"|16 07|"; depth:2; byte_test:2,>,24,2,big; classtype:attempted-admin; 18248 EXPLOIT Unisys Business Information Server stack buffer overflow attempt 5119 web-application-activity 2001-0179 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/WEB-INF"; nocase; http_uri; metadata:service http; classtype:web-application-activity; 1826 WEB-MISC WEB-INF access 11037 5191 web-application-attack 2002-1042 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/search"; http_uri; content:"NS-query-pat="; content:"../../"; metadata:service http; classtype:web-application-attack; 1828 WEB-MISC iPlanet Search directory traversal attempt 11043 5258 web-application-attack 2002-1052 tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS flow:established,to_server; content:"/servlet/con"; http_uri; pcre:"/\x2Fcon\b/Ui"; metadata:service http; classtype:web-application-attack; 1831 WEB-MISC jigsaw dos attempt 11047 5249 web-application-attack 2002-1027